int kr_ta_add(trie_t *, const knot_dname_t *, uint16_t, uint32_t, const uint8_t *, uint16_t);
int kr_ta_del(trie_t *, const knot_dname_t *);
void kr_ta_clear(trie_t *);
-_Bool kr_dnssec_key_ksk(const uint8_t *);
+_Bool kr_dnssec_key_sep_flag(const uint8_t *);
_Bool kr_dnssec_key_revoked(const uint8_t *);
int kr_dnssec_key_tag(uint16_t, const uint8_t *, size_t);
int kr_dnssec_key_match(const uint8_t *, size_t, const uint8_t *, size_t);
int kr_ta_add(trie_t *, const knot_dname_t *, uint16_t, uint32_t, const uint8_t *, uint16_t);
int kr_ta_del(trie_t *, const knot_dname_t *);
void kr_ta_clear(trie_t *);
-_Bool kr_dnssec_key_ksk(const uint8_t *);
+_Bool kr_dnssec_key_sep_flag(const uint8_t *);
_Bool kr_dnssec_key_revoked(const uint8_t *);
int kr_dnssec_key_tag(uint16_t, const uint8_t *, size_t);
int kr_dnssec_key_match(const uint8_t *, size_t, const uint8_t *, size_t);
int kr_ta_add(trie_t *, const knot_dname_t *, uint16_t, uint32_t, const uint8_t *, uint16_t);
int kr_ta_del(trie_t *, const knot_dname_t *);
void kr_ta_clear(trie_t *);
-_Bool kr_dnssec_key_ksk(const uint8_t *);
+_Bool kr_dnssec_key_sep_flag(const uint8_t *);
_Bool kr_dnssec_key_revoked(const uint8_t *);
int kr_dnssec_key_tag(uint16_t, const uint8_t *, size_t);
int kr_dnssec_key_match(const uint8_t *, size_t, const uint8_t *, size_t);
kr_ta_del
kr_ta_clear
# DNSSEC
- kr_dnssec_key_ksk
+ kr_dnssec_key_sep_flag
kr_dnssec_key_revoked
kr_dnssec_key_tag
kr_dnssec_key_match
array_reserve(ctx->keys, dnskey->rrs.count);
knot_rdata_t *krr = dnskey->rrs.rdata;
for (int i = 0; i < dnskey->rrs.count; ++i, krr = knot_rdataset_next(krr)) {
- if (!kr_dnssec_key_zsk(krr->data) || kr_dnssec_key_revoked(krr->data))
+ if (!kr_dnssec_key_usable(krr->data))
continue; // key not usable for this
kr_svldr_key_t key;
if (unlikely(svldr_key_new(krr, NULL/*seems OK here*/, &key) != 0))
return false;
}
+// Now we instantiate these two as non-inline externally linkable code here (for lua).
+KR_EXPORT extern inline KR_PURE
+bool kr_dnssec_key_sep_flag(const uint8_t *dnskey_rdata);
+KR_EXPORT extern inline KR_PURE
+bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata);
+
int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *sigs,
const knot_rrset_t *ta)
{
*/
knot_rdata_t *krr = keys->rrs.rdata;
for (int i = 0; i < keys->rrs.count; ++i, krr = knot_rdataset_next(krr)) {
- /* RFC4035 5.3.1, bullet 8 */ /* ZSK */
- if (!kr_dnssec_key_zsk(krr->data) || kr_dnssec_key_revoked(krr->data))
+ /* RFC4035 5.3.1, bullet 8 requires the Zone Flag bit */
+ if (!kr_dnssec_key_usable(krr->data))
continue;
kr_svldr_key_t key;
return vctx->result;
}
-bool kr_dnssec_key_zsk(const uint8_t *dnskey_rdata)
-{
- return knot_wire_read_u16(dnskey_rdata) & 0x0100;
-}
-
-bool kr_dnssec_key_ksk(const uint8_t *dnskey_rdata)
-{
- return knot_wire_read_u16(dnskey_rdata) & 0x0001;
-}
-
-/** Return true if the DNSKEY is revoked. */
-bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata)
-{
- return knot_wire_read_u16(dnskey_rdata) & 0x0080;
-}
-
int kr_dnssec_key_tag(uint16_t rrtype, const uint8_t *rdata, size_t rdlen)
{
if (!rdata || rdlen == 0 || (rrtype != KNOT_RRTYPE_DS && rrtype != KNOT_RRTYPE_DNSKEY)) {
int kr_dnskeys_trusted(kr_rrset_validation_ctx_t *vctx, const knot_rdataset_t *sigs,
const knot_rrset_t *ta);
-/** Return true if the DNSKEY can be used as a ZSK. */
-KR_EXPORT KR_PURE
-bool kr_dnssec_key_zsk(const uint8_t *dnskey_rdata);
+// flags: https://www.iana.org/assignments/dnskey-flags/dnskey-flags.xhtml
+// https://datatracker.ietf.org/doc/html/rfc4034#section-2.1
-/** Return true if the DNSKEY indicates being KSK (=> has SEP). */
-KR_EXPORT KR_PURE
-bool kr_dnssec_key_ksk(const uint8_t *dnskey_rdata);
+/** Return true if the DNSKEY has the SEP flag (normally ignored). */
+KR_EXPORT inline KR_PURE
+bool kr_dnssec_key_sep_flag(const uint8_t *dnskey_rdata)
+{
+ return dnskey_rdata[1] & 0x01;
+}
/** Return true if the DNSKEY is revoked. */
-KR_EXPORT KR_PURE
-bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata);
+KR_EXPORT inline KR_PURE
+bool kr_dnssec_key_revoked(const uint8_t *dnskey_rdata)
+{
+ return dnskey_rdata[1] & 0x80;
+}
+
+/** Return true if the DNSKEY could be used to validate zone records. */
+static inline KR_PURE
+bool kr_dnssec_key_usable(const uint8_t *dnskey_rdata)
+{
+ return (dnskey_rdata[0] & 0x01) && !kr_dnssec_key_revoked(dnskey_rdata);
+}
/** Return DNSKEY tag.
* @param rrtype RR type (either DS or DNSKEY are supported)
/* Accept only keys with Zone and SEP flags that aren't revoked,
* as a precaution. RFC 5011 also utilizes these flags.
* TODO: kr_dnssec_key_* names are confusing. */
- const bool flags_ok = kr_dnssec_key_zsk(rdata) && !kr_dnssec_key_revoked(rdata);
- if (!flags_ok) {
+ if (!kr_dnssec_key_usable(rdata)) {
auto_free char *owner_str = kr_dname_text(owner);
kr_log_error(TA, "refusing to trust %s DNSKEY because of flags %d\n",
owner_str, dnssec_key_get_flags(key));
ret = kr_error(EILSEQ);
goto cleanup;
- } else if (!kr_dnssec_key_ksk(rdata)) {
+ } else if (!kr_dnssec_key_sep_flag(rdata)) {
auto_free char *owner_str = kr_dname_text(owner);
int flags = dnssec_key_get_flags(key);
kr_log_warning(TA, "warning: %s DNSKEY is missing the SEP bit; "
-- Evaluate TA status of a RR according to RFC5011. The time is in seconds.
local function ta_present(keyset, rr, hold_down_time)
- if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then
+ if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_sep_flag(rr.rdata) then
return false -- Ignore
end
-- Attempt to extract key_tag
local ta = ta_find(keyset, rr)
table.insert(process_keys, ta)
- if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then
+ if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_sep_flag(rr.rdata) then
goto continue -- Ignore
end
projects / thirdparty / knot-resolver.git / commitdiff
