3 #ifndef LDNS_DNSSEC_SIGN_H
4 #define LDNS_DNSSEC_SIGN_H
6 #include <ldns/dnssec.h>
14 /** Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys*/
15 #define LDNS_SIGN_DNSKEY_WITH_ZSK 1
16 #define LDNS_SIGN_WITH_ALL_ALGORITHMS 2
19 * Create an empty RRSIG RR (i.e. without the actual signature data)
20 * \param[in] rrset The RRset to create the signature for
21 * \param[in] key The key that will create the signature
22 * \return signature rr
25 ldns_create_empty_rrsig(const ldns_rr_list *rrset,
29 * Sign the buffer which contains the wiredata of an rrset, and the
30 * corresponding empty rrsig rr with the given key
31 * \param[in] sign_buf the buffer with data to sign
32 * \param[in] key the key to sign with
33 * \return an rdata field with the signature data
36 ldns_sign_public_buffer(ldns_buffer *sign_buf, ldns_key *key);
40 * \param[in] rrset the rrset
41 * \param[in] keys the keys to use
42 * \return a rr_list with the signatures
44 ldns_rr_list *ldns_sign_public(ldns_rr_list *rrset, ldns_key_list *keys);
46 #if LDNS_BUILD_CONFIG_HAVE_SSL
48 * Sign a buffer with the DSA key (hash with SHA1)
49 * \param[in] to_sign buffer with the data
50 * \param[in] key the key to use
51 * \return a ldns_rdf with the signed data
53 ldns_rdf *ldns_sign_public_dsa(ldns_buffer *to_sign, DSA *key);
56 * Sign data with EVP (general method for different algorithms)
58 * \param[in] to_sign The ldns_buffer containing raw data that is
60 * \param[in] key The EVP_PKEY key structure to sign with
61 * \param[in] digest_type The digest algorithm to use in the creation of
63 * \return ldns_rdf for the RRSIG ldns_rr
65 ldns_rdf *ldns_sign_public_evp(ldns_buffer *to_sign,
67 const EVP_MD *digest_type);
70 * Sign a buffer with the RSA key (hash with SHA1)
71 * \param[in] to_sign buffer with the data
72 * \param[in] key the key to use
73 * \return a ldns_rdf with the signed data
75 ldns_rdf *ldns_sign_public_rsasha1(ldns_buffer *to_sign, RSA *key);
78 * Sign a buffer with the RSA key (hash with MD5)
79 * \param[in] to_sign buffer with the data
80 * \param[in] key the key to use
81 * \return a ldns_rdf with the signed data
83 ldns_rdf *ldns_sign_public_rsamd5(ldns_buffer *to_sign, RSA *key);
84 #endif /* LDNS_BUILD_CONFIG_HAVE_SSL */
87 * Marks the names in the zone that are occluded. Those names will be skipped
88 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
89 * function. But watch out! Names that are partially occluded (like glue with
90 * the same name as the delegation) will not be marked and should specifically
91 * be taken into account separately.
93 * When glue_list is given (not NULL), in the process of marking the names, all
94 * glue resource records will be pushed to that list, even glue at the delegation name.
96 * \param[in] zone the zone in which to mark the names
97 * \param[in] glue_list the list to which to push the glue rrs
98 * \return LDNS_STATUS_OK on success, an error code otherwise
101 ldns_dnssec_zone_mark_and_get_glue(
102 ldns_dnssec_zone *zone, ldns_rr_list *glue_list);
105 * Marks the names in the zone that are occluded. Those names will be skipped
106 * when walking the tree with the ldns_dnssec_name_node_next_nonglue()
107 * function. But watch out! Names that are partially occluded (like glue with
108 * the same name as the delegation) will not be marked and should specifically
109 * be taken into account separately.
111 * \param[in] zone the zone in which to mark the names
112 * \return LDNS_STATUS_OK on succesful completion
115 ldns_dnssec_zone_mark_glue(ldns_dnssec_zone *zone);
118 * Finds the first dnssec_name node in the rbtree that is not occluded.
119 * It *does* return names that are partially occluded.
121 * \param[in] node the first node to check
122 * \return the first node that has not been marked as glue, or NULL
123 * if not found (TODO: make that LDNS_RBTREE_NULL?)
125 ldns_rbnode_t *ldns_dnssec_name_node_next_nonglue(ldns_rbnode_t *node);
128 * Adds NSEC records to the given dnssec_zone
130 * \param[in] zone the zone to add the records to
131 * \param[in] new_rrs ldns_rr's created by this function are
132 * added to this rr list, so the caller can free them later
133 * \return LDNS_STATUS_OK on success, an error code otherwise
135 ldns_status ldns_dnssec_zone_create_nsecs(ldns_dnssec_zone *zone,
136 ldns_rr_list *new_rrs);
139 * Adds NSEC3 records to the zone
142 ldns_dnssec_zone_create_nsec3s(ldns_dnssec_zone *zone,
143 ldns_rr_list *new_rrs,
151 * remove signatures if callback function tells to
153 * \param[in] signatures list of signatures to check, and
154 * possibly remove, depending on the value of the
156 * \param[in] key_list these are marked to be used or not,
157 * on the return value of the callback
158 * \param[in] func this function is called to specify what to
159 * do with each signature (and corresponding key)
160 * \param[in] arg Optional argument for the callback function
161 * \returns pointer to the new signatures rrs (the original
162 * passed to this function may have been removed)
164 ldns_dnssec_rrs *ldns_dnssec_remove_signatures(ldns_dnssec_rrs *signatures,
165 ldns_key_list *key_list,
166 int (*func)(ldns_rr *, void *),
170 * Adds signatures to the zone
172 * \param[in] zone the zone to add RRSIG Resource Records to
173 * \param[in] new_rrs the RRSIG RRs that are created are also
174 * added to this list, so the caller can free them
176 * \param[in] key_list list of keys to sign with.
177 * \param[in] func Callback function to decide what keys to
178 * use and what to do with old signatures
179 * \param[in] arg Optional argument for the callback function
180 * \param[in] flags option flags for signing process. 0 makes DNSKEY
181 * RRset signed with the minimal key set, that is only SEP keys are used
182 * for signing. If there are no SEP keys available, non-SEP keys will
183 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
184 * keys. 0 is the default.
185 * \return LDNS_STATUS_OK on success, error otherwise
187 ldns_status ldns_dnssec_zone_create_rrsigs_flg(ldns_dnssec_zone *zone,
188 ldns_rr_list *new_rrs,
189 ldns_key_list *key_list,
190 int (*func)(ldns_rr *, void*),
195 * Adds signatures to the zone
197 * \param[in] zone the zone to add RRSIG Resource Records to
198 * \param[in] new_rrs the RRSIG RRs that are created are also
199 * added to this list, so the caller can free them
201 * \param[in] key_list list of keys to sign with.
202 * \param[in] func Callback function to decide what keys to
203 * use and what to do with old signatures
204 * \param[in] arg Optional argument for the callback function
205 * \return LDNS_STATUS_OK on success, error otherwise
207 ldns_status ldns_dnssec_zone_create_rrsigs(ldns_dnssec_zone *zone,
208 ldns_rr_list *new_rrs,
209 ldns_key_list *key_list,
210 int (*func)(ldns_rr *, void*),
214 * signs the given zone with the given keys
216 * \param[in] zone the zone to sign
217 * \param[in] key_list the list of keys to sign the zone with
218 * \param[in] new_rrs newly created resource records are added to this list, to free them later
219 * \param[in] func callback function that decides what to do with old signatures
220 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
221 * LDNS_SIGNATURE_LEAVE_ADD_NEW:
222 * leave the signature and add a new one for the corresponding key
223 * LDNS_SIGNATURE_REMOVE_ADD_NEW:
224 * remove the signature and replace is with a new one from the same key
225 * LDNS_SIGNATURE_LEAVE_NO_ADD:
226 * leave the signature and do not add a new one with the corresponding key
227 * LDNS_SIGNATURE_REMOVE_NO_ADD:
228 * remove the signature and do not replace
230 * \param[in] arg optional argument for the callback function
231 * \param[in] flags option flags for signing process. 0 makes DNSKEY
232 * RRset signed with the minimal key set, that is only SEP keys are used
233 * for signing. If there are no SEP keys available, non-SEP keys will
234 * be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all
235 * keys. 0 is the default.
236 * \return LDNS_STATUS_OK on success, an error code otherwise
238 ldns_status ldns_dnssec_zone_sign_flg(ldns_dnssec_zone *zone,
239 ldns_rr_list *new_rrs,
240 ldns_key_list *key_list,
241 int (*func)(ldns_rr *, void *),
246 * signs the given zone with the given new zone, with NSEC3
248 * \param[in] zone the zone to sign
249 * \param[in] key_list the list of keys to sign the zone with
250 * \param[in] new_rrs newly created resource records are added to this list, to free them later
251 * \param[in] func callback function that decides what to do with old signatures
252 * \param[in] arg optional argument for the callback function
253 * \param[in] algorithm the NSEC3 hashing algorithm to use
254 * \param[in] flags NSEC3 flags
255 * \param[in] iterations the number of NSEC3 hash iterations to use
256 * \param[in] salt_length the length (in octets) of the NSEC3 salt
257 * \param[in] salt the NSEC3 salt data
258 * \param[in] signflags option flags for signing process. 0 is the default.
259 * \return LDNS_STATUS_OK on success, an error code otherwise
261 ldns_status ldns_dnssec_zone_sign_nsec3_flg(ldns_dnssec_zone *zone,
262 ldns_rr_list *new_rrs,
263 ldns_key_list *key_list,
264 int (*func)(ldns_rr *, void *),
274 * signs the given zone with the given new zone, with NSEC3
276 * \param[in] zone the zone to sign
277 * \param[in] key_list the list of keys to sign the zone with
278 * \param[in] new_rrs newly created resource records are added to this list, to free them later
279 * \param[in] func callback function that decides what to do with old signatures
280 * \param[in] arg optional argument for the callback function
281 * \param[in] algorithm the NSEC3 hashing algorithm to use
282 * \param[in] flags NSEC3 flags
283 * \param[in] iterations the number of NSEC3 hash iterations to use
284 * \param[in] salt_length the length (in octets) of the NSEC3 salt
285 * \param[in] salt the NSEC3 salt data
286 * \param[in] signflags option flags for signing process. 0 is the default.
287 * \param[out] map a referenced rbtree pointer variable. The newly created
288 * rbtree will contain mappings from hashed owner names to the
290 * \return LDNS_STATUS_OK on success, an error code otherwise
292 ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap(ldns_dnssec_zone *zone,
293 ldns_rr_list *new_rrs,
294 ldns_key_list *key_list,
295 int (*func)(ldns_rr *, void *),
308 * signs the given zone with the given keys
310 * \param[in] zone the zone to sign
311 * \param[in] key_list the list of keys to sign the zone with
312 * \param[in] new_rrs newly created resource records are added to this list, to free them later
313 * \param[in] func callback function that decides what to do with old signatures
314 * This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values:
315 * LDNS_SIGNATURE_LEAVE_ADD_NEW:
316 * leave the signature and add a new one for the corresponding key
317 * LDNS_SIGNATURE_REMOVE_ADD_NEW:
318 * remove the signature and replace is with a new one from the same key
319 * LDNS_SIGNATURE_LEAVE_NO_ADD:
320 * leave the signature and do not add a new one with the corresponding key
321 * LDNS_SIGNATURE_REMOVE_NO_ADD:
322 * remove the signature and do not replace
324 * \param[in] arg optional argument for the callback function
325 * \return LDNS_STATUS_OK on success, an error code otherwise
327 ldns_status ldns_dnssec_zone_sign(ldns_dnssec_zone *zone,
328 ldns_rr_list *new_rrs,
329 ldns_key_list *key_list,
330 int (*func)(ldns_rr *, void *),
334 * signs the given zone with the given new zone, with NSEC3
336 * \param[in] zone the zone to sign
337 * \param[in] key_list the list of keys to sign the zone with
338 * \param[in] new_rrs newly created resource records are added to this list, to free them later
339 * \param[in] func callback function that decides what to do with old signatures
340 * \param[in] arg optional argument for the callback function
341 * \param[in] algorithm the NSEC3 hashing algorithm to use
342 * \param[in] flags NSEC3 flags
343 * \param[in] iterations the number of NSEC3 hash iterations to use
344 * \param[in] salt_length the length (in octets) of the NSEC3 salt
345 * \param[in] salt the NSEC3 salt data
346 * \return LDNS_STATUS_OK on success, an error code otherwise
348 ldns_status ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
349 ldns_rr_list *new_rrs,
350 ldns_key_list *key_list,
351 int (*func)(ldns_rr *, void *),
360 * Signs the zone, and returns a newly allocated signed zone
361 * \param[in] zone the zone to sign
362 * \param[in] key_list list of keys to sign with
363 * \return signed zone
365 ldns_zone *ldns_zone_sign(const ldns_zone *zone, ldns_key_list *key_list);
368 * Signs the zone with NSEC3, and returns a newly allocated signed zone
369 * \param[in] zone the zone to sign
370 * \param[in] key_list list of keys to sign with
371 * \param[in] algorithm the NSEC3 hashing algorithm to use
372 * \param[in] flags NSEC3 flags
373 * \param[in] iterations the number of NSEC3 hash iterations to use
374 * \param[in] salt_length the length (in octets) of the NSEC3 salt
375 * \param[in] salt the NSEC3 salt data
376 * \return signed zone
378 ldns_zone *ldns_zone_sign_nsec3(ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt);