| blob | 46283696d981d630235b1c15ae4834f43af54a24 |
1 /* $NetBSD$ */
3 /*
4 * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16 * PERFORMANCE OF THIS SOFTWARE.
17 */
19 /* Id: private.c,v 1.3 2009/10/09 23:48:09 tbox Exp */
23 #include <isc/result.h>
24 #include <isc/string.h>
25 #include <isc/types.h>
26 #include <isc/base64.h>
28 #include <dns/nsec3.h>
29 #include <dns/private.h>
31 /*
32 * We need to build the relevant chain if there exists a NSEC/NSEC3PARAM
33 * at the apex; normally only one or the other of NSEC/NSEC3PARAM will exist.
34 *
35 * If a NSEC3PARAM RRset exists then we will need to build a NSEC chain
36 * if all the NSEC3PARAM records (and associated chains) are slated for
37 * destruction and we have not been told to NOT build the NSEC chain.
38 *
39 * If the NSEC set exist then check to see if there is a request to create
40 * a NSEC3 chain.
41 *
42 * If neither NSEC/NSEC3PARAM RRsets exist at the origin and the private
43 * type exists then we need to examine it to determine if NSEC3 chain has
44 * been requested to be built otherwise a NSEC chain needs to be built.
45 */
47 #define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
48 #define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
49 #define NONSEC(x) (((x) & DNS_NSEC3FLAG_NONSEC) != 0)
51 #define CHECK(x) do { \
52 result = (x); \
53 if (result != ISC_R_SUCCESS) \
54 goto failure; \
55 } while (0)
57 /*
58 * Work out if 'param' should be ignored or not (i.e. it is in the process
59 * of being removed).
60 *
61 * Note: we 'belt-and-braces' here by also checking for a CREATE private
62 * record and keep the param record in this case.
63 */
65 static isc_boolean_t
67 isc_result_t result;
80 /*
81 * We are going to create a new NSEC3 chain so it
82 * doesn't matter if we are removing this one.
83 */
92 /*
93 * The removal of this NSEC3 chain does NOT cause a
94 * NSEC chain to be created so we don't need to tell
95 * the caller that it will be removed.
96 */
100 }
102 }
104 isc_result_t
106 dns_rdatatype_t privatetype,
108 {
111 isc_boolean_t nsec3chain;
112 isc_boolean_t signing;
113 isc_result_t result;
132 NULL);
143 }
151 }
153 /*
154 * Look to see if we also need to be creating a NSEC3 chains.
155 */
179 }
181 }
190 /*
191 * If we are in the process of building a new NSEC3 chain
192 * then we don't need to build a NSEC chain.
193 */
206 }
208 /*
209 * Check to see if there will be a active NSEC3CHAIN once
210 * the changes queued complete.
211 */
218 /*
219 * If there is more that one NSEC3 chain present then
220 * we don't need to construct a NSEC chain.
221 */
227 /*
228 * We still have a good NSEC3 chain or we are
229 * not creating a NSEC chain as NONSEC is set.
230 */
232 }
234 /*
235 * The last NSEC3 chain is being removed and does not have
236 * have NONSEC set.
237 */
241 }
262 /*
263 * Look for record that says we are signing the
264 * zone with a key.
265 */
272 }
273 }
282 }
283 }
285 success:
287 failure:
297 }