| blob | b5771d839c94a5507897532f940e79061fd31f58 |
1 /* $NetBSD: nsec3_50.h,v 1.5 2014/12/10 04:37:59 christos Exp $ */
3 /*
4 * Copyright (C) 2008, 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16 * PERFORMANCE OF THIS SOFTWARE.
17 */
20 #ifndef GENERIC_NSEC3_50_H
21 #define GENERIC_NSEC3_50_H 1
23 /* Id */
25 /*!
26 * \brief Per RFC 5155 */
28 #include <isc/iterated_hash.h>
31 dns_rdatacommon_t common;
33 dns_hash_t hash;
35 dns_iterations_t iterations;
38 isc_uint16_t len;
44 /*
45 * The corresponding NSEC3 interval is OPTOUT indicating possible
46 * insecure delegations.
47 */
48 #define DNS_NSEC3FLAG_OPTOUT 0x01U
50 /*%
51 * The following flags are used in the private-type record (implemented in
52 * lib/dns/private.c) which is used to store NSEC3PARAM data during the
53 * time when it is not legal to have an actual NSEC3PARAM record in the
54 * zone. They are defined here because the private-type record uses the
55 * same flags field for the OPTOUT flag above and for the private flags
56 * below. XXX: This should be considered for refactoring.
57 */
59 /*%
60 * Non-standard, private type only.
61 *
62 * Create a corresponding NSEC3 chain.
63 * Once the NSEC3 chain is complete this flag will be removed to signal
64 * that there is a complete chain.
65 *
66 * This flag is automatically set when a NSEC3PARAM record is added to
67 * the zone via UPDATE.
68 *
69 * NSEC3PARAM records containing this flag should never be published,
70 * but if they are, they should be ignored by RFC 5155 compliant
71 * nameservers.
72 */
73 #define DNS_NSEC3FLAG_CREATE 0x80U
75 /*%
76 * Non-standard, private type only.
77 *
78 * The corresponding NSEC3 set is to be removed once the NSEC chain
79 * has been generated.
80 *
81 * This flag is automatically set when the last active NSEC3PARAM record
82 * is removed from the zone via UPDATE.
83 *
84 * NSEC3PARAM records containing this flag should never be published,
85 * but if they are, they should be ignored by RFC 5155 compliant
86 * nameservers.
87 */
88 #define DNS_NSEC3FLAG_REMOVE 0x40U
90 /*%
91 * Non-standard, private type only.
92 *
93 * When set with the CREATE flag, a corresponding NSEC3 chain will be
94 * created when the zone becomes capable of supporting one (i.e., when it
95 * has a DNSKEY RRset containing at least one NSEC3-capable algorithm).
96 * Without this flag, NSEC3 chain creation would be attempted immediately,
97 * fail, and the private type record would be removed. With it, the NSEC3
98 * parameters are stored until they can be used. When the zone has the
99 * necessary prerequisites for NSEC3, then the INITIAL flag can be cleared,
100 * and the record will be cleaned up normally.
101 *
102 * NSEC3PARAM records containing this flag should never be published, but
103 * if they are, they should be ignored by RFC 5155 compliant nameservers.
104 */
105 #define DNS_NSEC3FLAG_INITIAL 0x20U
107 /*%
108 * Non-standard, private type only.
109 *
110 * Prevent the creation of a NSEC chain before the last NSEC3 chain
111 * is removed. This will normally only be set when the zone is
112 * transitioning from secure with NSEC3 chains to insecure.
113 *
114 * NSEC3PARAM records containing this flag should never be published,
115 * but if they are, they should be ignored by RFC 5155 compliant
116 * nameservers.
117 */
118 #define DNS_NSEC3FLAG_NONSEC 0x10U