+7 August 2007: Wouter
+ - security status type.
+
6 August 2007: Wouter
- key cache for validator.
- moved isroot and dellabel to own dname routines, with unit test.
/** constructor for replyinfo */
static struct reply_info*
construct_reply_info_base(struct region* region, uint16_t flags, size_t qd,
- uint32_t ttl, size_t an, size_t ns, size_t ar, size_t total)
+ uint32_t ttl, size_t an, size_t ns, size_t ar, size_t total,
+ enum sec_status sec)
{
struct reply_info* rep;
/* rrset_count-1 because the first ref is part of the struct. */
rep->ns_numrrsets = ns;
rep->ar_numrrsets = ar;
rep->rrset_count = total;
+ rep->security = sec;
/* array starts after the refs */
if(region)
rep->rrsets = (struct ub_packed_rrset_key**)&(rep->ref[0]);
{
*rep = construct_reply_info_base(region, msg->flags, msg->qdcount, 0,
msg->an_rrsets, msg->ns_rrsets, msg->ar_rrsets,
- msg->rrset_count);
+ msg->rrset_count, sec_status_unchecked);
if(!*rep)
return 0;
return 1;
data->count = pset->rr_count;
data->rrsig_count = pset->rrsig_count;
data->trust = rrset_trust_none;
+ data->security = sec_status_unchecked;
/* layout: struct - rr_len - rr_data - rr_ttl - rdata - rrsig */
data->rr_len = (size_t*)((uint8_t*)data +
sizeof(struct packed_rrset_data));
struct packed_rrset_data* data;
log_assert(rep);
rep->ttl = MAX_TTL;
+ rep->security = sec_status_unchecked;
if(rep->rrset_count == 0)
rep->ttl = NORR_TTL;
struct reply_info* cp;
cp = construct_reply_info_base(region, rep->flags, rep->qdcount,
rep->ttl, rep->an_numrrsets, rep->ns_numrrsets,
- rep->ar_numrrsets, rep->rrset_count);
+ rep->ar_numrrsets, rep->rrset_count, rep->security);
if(!cp)
return NULL;
/* allocate ub_key structures special or not */
*/
uint32_t ttl;
+ /**
+ * The security status from DNSSEC validation of this message.
+ */
+ enum sec_status security;
+
/**
* Number of RRsets in each section.
* The answer section. Add up the RRs in every RRset to calculate
for(i=0; i<total; i++)
data->rr_ttl[i] += add;
}
+
+const char*
+rrset_trust_to_string(enum rrset_trust s)
+{
+ switch(s) {
+ case rrset_trust_none: return "rrset_trust_none";
+ case rrset_trust_add_noAA: return "rrset_trust_add_noAA";
+ case rrset_trust_auth_noAA: return "rrset_trust_auth_noAA";
+ case rrset_trust_add_AA: return "rrset_trust_add_AA";
+ case rrset_trust_nonauth_ans_AA:return "rrset_trust_nonauth_ans_AA";
+ case rrset_trust_ans_noAA: return "rrset_trust_ans_noAA";
+ case rrset_trust_glue: return "rrset_trust_glue";
+ case rrset_trust_auth_AA: return "rrset_trust_auth_AA";
+ case rrset_trust_ans_AA: return "rrset_trust_ans_AA";
+ case rrset_trust_sec_noglue: return "rrset_trust_sec_noglue";
+ case rrset_trust_prim_noglue: return "rrset_trust_prim_noglue";
+ case rrset_trust_validated: return "rrset_trust_validated";
+ case rrset_trust_ultimate: return "rrset_trust_ultimate";
+ }
+ return "unknown_rrset_trust_value";
+}
+
+const char*
+sec_status_to_string(enum sec_status s)
+{
+ switch(s) {
+ case sec_status_unchecked: return "sec_status_unchecked";
+ case sec_status_bogus: return "sec_status_bogus";
+ case sec_status_indeterminate: return "sec_status_indeterminate";
+ case sec_status_insecure: return "sec_status_insecure";
+ case sec_status_secure: return "sec_status_secure";
+ }
+ return "unknown_sec_status_value";
+}
rrset_trust_ultimate
};
+/**
+ * Security status from validation for data.
+ */
+enum sec_status {
+ /** UNCHECKED means that object has yet to be validated. */
+ sec_status_unchecked = 0,
+ /** BOGUS means that the object (RRset or message) failed to validate
+ * (according to local policy), but should have validated. */
+ sec_status_bogus,
+ /** INDETERMINATE means that the object is insecure, but not
+ * authoritatively so. Generally this means that the RRset is not
+ * below a configured trust anchor. */
+ sec_status_indeterminate,
+ /** INSECURE means that the object is authoritatively known to be
+ * insecure. Generally this means that this RRset is below a trust
+ * anchor, but also below a verified, insecure delegation. */
+ sec_status_insecure,
+ /** SECURE means that the object (RRset or message) validated
+ * according to local policy. */
+ sec_status_secure
+};
+
/**
* RRset data.
*
size_t rrsig_count;
/** the trustworthiness of the rrset data */
enum rrset_trust trust;
+ /** security status of the rrset data */
+ enum sec_status security;
/** length of every rr's rdata, rr_len[i] is size of rr_data[i]. */
size_t* rr_len;
/** ttl of every rr. rr_ttl[i] ttl of rr i. */
void get_cname_target(struct ub_packed_rrset_key* rrset, uint8_t** dname,
size_t* dname_len);
+/**
+ * Get a printable string for a rrset trust value
+ * @param s: rrset trust value
+ * @return printable string.
+ */
+const char* rrset_trust_to_string(enum rrset_trust s);
+
+/**
+ * Get a printable string for a security status value
+ * @param s: security status
+ * @return printable string.
+ */
+const char* sec_status_to_string(enum sec_status s);
+
#endif /* UTIL_DATA_PACKED_RRSET_H */
projects / thirdparty / unbound.git / commitdiff
