2 * Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 2000, 2001 Internet Software Consortium.
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
18 /* $Id: validator.h,v 1.18.2.1 2004/03/09 06:11:24 marka Exp $ */
20 #ifndef DNS_VALIDATOR_H
21 #define DNS_VALIDATOR_H 1
33 * The module ensures appropriate synchronization of data structures it
34 * creates and manipulates.
37 * No anticipated impact.
43 * No anticipated impact.
46 * RFCs: 1034, 1035, 2181, 2535, <TBS>
51 #include <isc/event.h>
52 #include <isc/mutex.h>
54 #include <dns/types.h>
55 #include <dns/rdataset.h>
56 #include <dns/rdatastruct.h> /* for dns_rdata_sig_t */
61 * A dns_validatorevent_t is sent when a 'validation' completes.
63 * 'name', 'rdataset', 'sigrdataset', and 'message' are the values that were
64 * supplied when dns_validator_create() was called. They are returned to the
65 * caller so that they may be freed.
67 typedef struct dns_validatorevent {
68 ISC_EVENT_COMMON(struct dns_validatorevent);
69 dns_validator_t * validator;
73 dns_rdataset_t * rdataset;
74 dns_rdataset_t * sigrdataset;
75 dns_message_t * message;
76 } dns_validatorevent_t;
80 * A validator object represents a validation in procgress.
82 * Clients are strongly discouraged from using this type directly, with
83 * the exception of the 'link' field, which may be used directly for
84 * whatever purpose the client desires.
86 struct dns_validator {
93 unsigned int attributes;
94 dns_validatorevent_t * event;
96 dns_validator_t * keyvalidator;
97 dns_validator_t * authvalidator;
98 dns_keytable_t * keytable;
99 dns_keynode_t * keynode;
101 dns_rdata_sig_t * siginfo;
103 isc_taskaction_t action;
106 dns_rdataset_t * currentset;
107 isc_boolean_t seensig;
108 dns_rdataset_t * keyset;
109 dns_rdataset_t frdataset;
110 dns_rdataset_t fsigrdataset;
111 ISC_LINK(dns_validator_t) link;
117 dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
118 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
119 dns_message_t *message, unsigned int options,
120 isc_task_t *task, isc_taskaction_t action, void *arg,
121 dns_validator_t **validatorp);
123 * Start a DNSSEC validation.
125 * This validates a response to the question given by
128 * To validate a positive response, the response data is
129 * given by 'rdataset' and 'sigrdataset'. If 'sigrdataset'
130 * is NULL, the data is presumed insecure and an attempt
131 * is made to prove its insecurity by finding the appropriate
134 * The complete response message may be given in 'message',
135 * to make available any authority section NXTs that may be
136 * needed for validation of a response resulting from a
137 * wildcard expansion (though no such wildcard validation
138 * is implemented yet). If the complete response message
139 * is not available, 'message' is NULL.
141 * To validate a negative response, the complete negative response
142 * message is given in 'message'. The 'rdataset', and
143 * 'sigrdataset' arguments must be NULL, but the 'name' and 'type'
144 * arguments must be provided.
146 * The validation is performed in the context of 'view'.
147 * 'options' must be zero.
149 * When the validation finishes, a dns_validatorevent_t with
150 * the given 'action' and 'arg' are sent to 'task'.
151 * Its 'result' field will be ISC_R_SUCCESS iff the
152 * response was successfully proven to be either secure or
153 * part of a known insecure domain.
157 dns_validator_cancel(dns_validator_t *validator);
159 * Cancel a DNSSEC validation in progress.
162 * 'validator' points to a valid DNSSEC validator, which
163 * may or may not already have completed.
166 * It the validator has not already sent its completion
167 * event, it will send it with result code ISC_R_CANCELED.
171 dns_validator_destroy(dns_validator_t **validatorp);
173 * Destroy a DNSSEC validator.
176 * '*validatorp' points to a valid DNSSEC validator.
177 * The validator must have completed and sent its completion
181 * All resources used by the validator are freed.
186 #endif /* DNS_VALIDATOR_H */