2 * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002 Internet Software Consortium.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: dnssec.h,v 1.21.12.5 2004/03/08 09:04:35 marka Exp $ */
21 #define DNS_DNSSEC_H 1
24 #include <isc/stdtime.h>
26 #include <dns/types.h>
33 dns_dnssec_keyfromrdata(dns_name_t *name, dns_rdata_t *rdata, isc_mem_t *mctx,
36 * Creates a DST key from a DNS record. Basically a wrapper around
49 * DST_R_INVALIDPUBLICKEY
50 * various errors from dns_name_totext
54 dns_dnssec_sign(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
55 isc_stdtime_t *inception, isc_stdtime_t *expire,
56 isc_mem_t *mctx, isc_buffer_t *buffer, dns_rdata_t *sigrdata);
58 * Generates a SIG record covering this rdataset. This has no effect
59 * on existing SIG records.
62 * 'name' (the owner name of the record) is a valid name
63 * 'set' is a valid rdataset
64 * 'key' is a valid key
65 * 'inception' is not NULL
66 * 'expire' is not NULL
68 * 'buffer' is not NULL
69 * 'sigrdata' is not NULL
75 * DNS_R_INVALIDTIME - the expiration is before the inception
76 * DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
77 * it is not a zone key or its flags prevent
83 dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
84 isc_boolean_t ignoretime, isc_mem_t *mctx,
85 dns_rdata_t *sigrdata);
88 dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
89 isc_boolean_t ignoretime, isc_mem_t *mctx,
90 dns_rdata_t *sigrdata, dns_name_t *wild);
92 * Verifies the SIG record covering this rdataset signed by a specific
93 * key. This does not determine if the key's owner is authorized to
94 * sign this record, as this requires a resolver or database.
95 * If 'ignoretime' is ISC_TRUE, temporal validity will not be checked.
98 * 'name' (the owner name of the record) is a valid name
99 * 'set' is a valid rdataset
100 * 'key' is a valid key
102 * 'sigrdata' is a valid rdata containing a SIG record
103 * 'wild' if non-NULL then is a valid and has a buffer.
108 * DNS_R_FROMWILDCARD - the signature is valid and is from
109 * a wildcard expansion. dns_dnssec_verify2() only.
110 * 'wild' contains the name of the wildcard if non-NULL.
111 * DNS_R_SIGINVALID - the signature fails to verify
112 * DNS_R_SIGEXPIRED - the signature has expired
113 * DNS_R_SIGFUTURE - the signature's validity period has not begun
114 * DNS_R_KEYUNAUTHORIZED - the key cannot sign this data (either
115 * it is not a zone key or its flags prevent
121 dns_dnssec_findzonekeys(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
122 dns_name_t *name, isc_mem_t *mctx,
123 unsigned int maxkeys, dst_key_t **keys,
124 unsigned int *nkeys);
126 dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
127 dns_dbnode_t *node, dns_name_t *name,
128 const char *directory, isc_mem_t *mctx,
129 unsigned int maxkeys, dst_key_t **keys,
130 unsigned int *nkeys);
132 * Finds a set of zone keys.
133 * XXX temporary - this should be handled in dns_zone_t.
137 dns_dnssec_signmessage(dns_message_t *msg, dst_key_t *key);
139 * Signs a message with a SIG(0) record. This is implicitly called by
140 * dns_message_renderend() if msg->sig0key is not NULL.
143 * 'msg' is a valid message
144 * 'key' is a valid key that can be used for signing
153 dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
156 * Verifies a message signed by a SIG(0) record. This is not
157 * called implicitly by dns_message_parse(). If dns_message_signer()
158 * is called before dns_dnssec_verifymessage(), it will return
159 * DNS_R_NOTVERIFIEDYET. dns_dnssec_verifymessage() will set
160 * the verified_sig0 flag in msg if the verify succeeds, and
161 * the sig0status field otherwise.
164 * 'source' is a valid buffer containing the unparsed message
165 * 'msg' is a valid message
166 * 'key' is a valid key
171 * ISC_R_NOTFOUND - no SIG(0) was found
172 * DNS_R_SIGINVALID - the SIG record is not well-formed or
173 * was not generated by the key.
179 #endif /* DNS_DNSSEC_H */