xref: /netbsd-src/external/mpl/bind/dist/lib/dns/rdata/generic/nsec3_50.h (revision bcda20f65a8566e103791ec395f7f499ef322704) 
1 /*	$NetBSD: nsec3_50.h,v 1.8 2025/01/26 16:25:32 christos Exp $	*/
2 
3 /*
4  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5  *
6  * SPDX-License-Identifier: MPL-2.0
7  *
8  * This Source Code Form is subject to the terms of the Mozilla Public
9  * License, v. 2.0. If a copy of the MPL was not distributed with this
10  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11  *
12  * See the COPYRIGHT file distributed with this work for additional
13  * information regarding copyright ownership.
14  */
15 
16 #pragma once
17 
18 /*!
19  * \brief Per RFC 5155 */
20 
21 #include <isc/iterated_hash.h>
22 
23 typedef struct dns_rdata_nsec3 {
24 	dns_rdatacommon_t common;
25 	isc_mem_t *mctx;
26 	dns_hash_t hash;
27 	unsigned char flags;
28 	dns_iterations_t iterations;
29 	unsigned char salt_length;
30 	unsigned char next_length;
31 	uint16_t len;
32 	unsigned char *salt;
33 	unsigned char *next;
34 	unsigned char *typebits;
35 } dns_rdata_nsec3_t;
36 
37 /*
38  * The corresponding NSEC3 interval is OPTOUT indicating possible
39  * insecure delegations.
40  */
41 #define DNS_NSEC3FLAG_OPTOUT 0x01U
42 
43 /*%
44  * The following flags are used in the private-type record (implemented in
45  * lib/dns/private.c) which is used to store NSEC3PARAM data during the
46  * time when it is not legal to have an actual NSEC3PARAM record in the
47  * zone.  They are defined here because the private-type record uses the
48  * same flags field for the OPTOUT flag above and for the private flags
49  * below.  XXX: This should be considered for refactoring.
50  */
51 
52 /*%
53  * Non-standard, private type only.
54  *
55  * Create a corresponding NSEC3 chain.
56  * Once the NSEC3 chain is complete this flag will be removed to signal
57  * that there is a complete chain.
58  *
59  * This flag is automatically set when a NSEC3PARAM record is added to
60  * the zone via UPDATE.
61  *
62  * NSEC3PARAM records containing this flag should never be published,
63  * but if they are, they should be ignored by RFC 5155 compliant
64  * nameservers.
65  */
66 #define DNS_NSEC3FLAG_CREATE 0x80U
67 
68 /*%
69  * Non-standard, private type only.
70  *
71  * The corresponding NSEC3 set is to be removed once the NSEC chain
72  * has been generated.
73  *
74  * This flag is automatically set when the last active NSEC3PARAM record
75  * is removed from the zone via UPDATE.
76  *
77  * NSEC3PARAM records containing this flag should never be published,
78  * but if they are, they should be ignored by RFC 5155 compliant
79  * nameservers.
80  */
81 #define DNS_NSEC3FLAG_REMOVE 0x40U
82 
83 /*%
84  * Non-standard, private type only.
85  *
86  * When set with the CREATE flag, a corresponding NSEC3 chain will be
87  * created when the zone becomes capable of supporting one (i.e., when it
88  * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
89  * Without this flag, NSEC3 chain creation would be attempted immediately,
90  * fail, and the private type record would be removed.  With it, the NSEC3
91  * parameters are stored until they can be used.  When the zone has the
92  * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
93  * and the record will be cleaned up normally.
94  *
95  * NSEC3PARAM records containing this flag should never be published, but
96  * if they are, they should be ignored by RFC 5155 compliant nameservers.
97  */
98 #define DNS_NSEC3FLAG_INITIAL 0x20U
99 
100 /*%
101  * Non-standard, private type only.
102  *
103  * Prevent the creation of a NSEC chain before the last NSEC3 chain
104  * is removed.  This will normally only be set when the zone is
105  * transitioning from secure with NSEC3 chains to insecure.
106  *
107  * NSEC3PARAM records containing this flag should never be published,
108  * but if they are, they should be ignored by RFC 5155 compliant
109  * nameservers.
110  */
111 #define DNS_NSEC3FLAG_NONSEC 0x10U
112