/usr/include/dns/validator.h is in libbind-dev 1:9.11.3+dfsg-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 | /*
* Copyright (C) 2000-2010, 2013, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: validator.h,v 1.46 2010/02/25 05:08:01 tbox Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
/*****
***** Module Info
*****/
/*! \file dns/validator.h
*
* \brief
* DNS Validator
* This is the BIND 9 validator, the module responsible for validating the
* rdatasets and negative responses (messages). It makes use of zones in
* the view and may fetch RRset to complete trust chains. It implements
* DNSSEC as specified in RFC 4033, 4034 and 4035.
*
* It can also optionally implement ISC's DNSSEC look-aside validation.
*
* Correct operation is critical to preventing spoofed answers from secure
* zones being accepted.
*
* MP:
*\li The module ensures appropriate synchronization of data structures it
* creates and manipulates.
*
* Reliability:
*\li No anticipated impact.
*
* Resources:
*\li TBS
*
* Security:
*\li No anticipated impact.
*
* Standards:
*\li RFCs: 1034, 1035, 2181, 4033, 4034, 4035.
*/
#include <isc/lang.h>
#include <isc/event.h>
#include <isc/mutex.h>
#include <dns/fixedname.h>
#include <dns/types.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h> /* for dns_rdata_rrsig_t */
#include <dst/dst.h>
/*%
* A dns_validatorevent_t is sent when a 'validation' completes.
* \brief
* 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
* supplied when dns_validator_create() was called. They are returned to the
* caller so that they may be freed.
*
* If the RESULT is ISC_R_SUCCESS and the answer is secure then
* proofs[] will contain the names of the NSEC records that hold the
* various proofs. Note the same name may appear multiple times.
*/
typedef struct dns_validatorevent {
ISC_EVENT_COMMON(struct dns_validatorevent);
dns_validator_t * validator;
isc_result_t result;
/*
* Name and type of the response to be validated.
*/
dns_name_t * name;
dns_rdatatype_t type;
/*
* Rdata and RRSIG (if any) for positive responses.
*/
dns_rdataset_t * rdataset;
dns_rdataset_t * sigrdataset;
/*
* The full response. Required for negative responses.
* Also required for positive wildcard responses.
*/
dns_message_t * message;
/*
* Proofs to be cached.
*/
dns_name_t * proofs[4];
/*
* Optout proof seen.
*/
isc_boolean_t optout;
/*
* Answer is secure.
*/
isc_boolean_t secure;
} dns_validatorevent_t;
#define DNS_VALIDATOR_NOQNAMEPROOF 0
#define DNS_VALIDATOR_NODATAPROOF 1
#define DNS_VALIDATOR_NOWILDCARDPROOF 2
#define DNS_VALIDATOR_CLOSESTENCLOSER 3
/*%
* A validator object represents a validation in progress.
* \brief
* Clients are strongly discouraged from using this type directly, with
* the exception of the 'link' field, which may be used directly for
* whatever purpose the client desires.
*/
struct dns_validator {
/* Unlocked. */
unsigned int magic;
isc_mutex_t lock;
dns_view_t * view;
/* Locked by lock. */
unsigned int options;
unsigned int attributes;
dns_validatorevent_t * event;
dns_fetch_t * fetch;
dns_validator_t * subvalidator;
dns_validator_t * parent;
dns_keytable_t * keytable;
dns_keynode_t * keynode;
dst_key_t * key;
dns_rdata_rrsig_t * siginfo;
isc_task_t * task;
isc_taskaction_t action;
void * arg;
unsigned int labels;
dns_rdataset_t * currentset;
isc_boolean_t seensig;
dns_rdataset_t * keyset;
dns_rdataset_t * dsset;
dns_rdataset_t * soaset;
dns_rdataset_t * nsecset;
dns_rdataset_t * nsec3set;
dns_name_t * soaname;
dns_rdataset_t frdataset;
dns_rdataset_t fsigrdataset;
dns_fixedname_t fname;
dns_fixedname_t wild;
dns_fixedname_t nearest;
dns_fixedname_t closest;
ISC_LINK(dns_validator_t) link;
dns_rdataset_t dlv;
dns_fixedname_t dlvsep;
isc_boolean_t havedlvsep;
isc_boolean_t mustbesecure;
unsigned int dlvlabels;
unsigned int depth;
unsigned int authcount;
unsigned int authfail;
isc_stdtime_t start;
};
/*%
* dns_validator_create() options.
*/
#define DNS_VALIDATOR_DLV 0x0001U
#define DNS_VALIDATOR_DEFER 0x0002U
#define DNS_VALIDATOR_NOCDFLAG 0x0004U
#define DNS_VALIDATOR_NONTA 0x0008U /*% Ignore NTA table */
ISC_LANG_BEGINDECLS
isc_result_t
dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
dns_message_t *message, unsigned int options,
isc_task_t *task, isc_taskaction_t action, void *arg,
dns_validator_t **validatorp);
/*%<
* Start a DNSSEC validation.
*
* This validates a response to the question given by
* 'name' and 'type'.
*
* To validate a positive response, the response data is
* given by 'rdataset' and 'sigrdataset'. If 'sigrdataset'
* is NULL, the data is presumed insecure and an attempt
* is made to prove its insecurity by finding the appropriate
* null key.
*
* The complete response message may be given in 'message',
* to make available any authority section NSECs that may be
* needed for validation of a response resulting from a
* wildcard expansion (though no such wildcard validation
* is implemented yet). If the complete response message
* is not available, 'message' is NULL.
*
* To validate a negative response, the complete negative response
* message is given in 'message'. The 'rdataset', and
* 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
* arguments must be provided.
*
* The validation is performed in the context of 'view'.
*
* When the validation finishes, a dns_validatorevent_t with
* the given 'action' and 'arg' are sent to 'task'.
* Its 'result' field will be ISC_R_SUCCESS iff the
* response was successfully proven to be either secure or
* part of a known insecure domain.
*
* options:
* If DNS_VALIDATOR_DLV is set the caller knows there is not a
* trusted key and the validator should immediately attempt to validate
* the answer by looking for an appropriate DLV RRset.
*/
void
dns_validator_send(dns_validator_t *validator);
/*%<
* Send a deferred validation request
*
* Requires:
* 'validator' to points to a valid DNSSEC validator.
*/
void
dns_validator_cancel(dns_validator_t *validator);
/*%<
* Cancel a DNSSEC validation in progress.
*
* Requires:
*\li 'validator' points to a valid DNSSEC validator, which
* may or may not already have completed.
*
* Ensures:
*\li It the validator has not already sent its completion
* event, it will send it with result code ISC_R_CANCELED.
*/
void
dns_validator_destroy(dns_validator_t **validatorp);
/*%<
* Destroy a DNSSEC validator.
*
* Requires:
*\li '*validatorp' points to a valid DNSSEC validator.
* \li The validator must have completed and sent its completion
* event.
*
* Ensures:
*\li All resources used by the validator are freed.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_VALIDATOR_H */
|