Functions
dnssec_sign.c File Reference

Go to the source code of this file.

Functions

ldns_rrldns_create_empty_rrsig (ldns_rr_list *rrset, ldns_key *current_key)
 Create an empty RRSIG RR (i.e.
ldns_rdfldns_sign_public_buffer (ldns_buffer *sign_buf, ldns_key *current_key)
 Sign the buffer which contains the wiredata of an rrset, and the corresponding empty rrsig rr with the given key.
ldns_rr_listldns_sign_public (ldns_rr_list *rrset, ldns_key_list *keys)
 use this function to sign with a public/private key alg return the created signatures
ldns_rdfldns_sign_public_dsa (ldns_buffer *to_sign, DSA *key)
 Sign data with DSA.
ldns_rdfldns_sign_public_evp (ldns_buffer *to_sign, EVP_PKEY *key, const EVP_MD *digest_type)
ldns_rdfldns_sign_public_rsasha1 (ldns_buffer *to_sign, RSA *key)
ldns_rdfldns_sign_public_rsamd5 (ldns_buffer *to_sign, RSA *key)
ldns_status ldns_dnssec_zone_mark_and_get_glue (ldns_dnssec_zone *zone, ldns_rr_list *glue_list)
 Marks the names in the zone that are occluded.
ldns_status ldns_dnssec_zone_mark_glue (ldns_dnssec_zone *zone)
 Marks the names in the zone that are occluded.
ldns_rbnode_tldns_dnssec_name_node_next_nonglue (ldns_rbnode_t *node)
 Finds the first dnssec_name node in the rbtree that is not occluded.
ldns_status ldns_dnssec_zone_create_nsecs (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs)
 Adds NSEC records to the given dnssec_zone.
int ldns_dname_compare_v (const void *a, const void *b)
ldns_status ldns_dnssec_zone_create_nsec3s_mkmap (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, ldns_rbtree_t **map)
ldns_status ldns_dnssec_zone_create_nsec3s (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Adds NSEC3 records to the zone.
ldns_dnssec_rrsldns_dnssec_remove_signatures (ldns_dnssec_rrs *signatures, ATTR_UNUSED(ldns_key_list *key_list), int(*func)(ldns_rr *, void *), void *arg)
ldns_status ldns_dnssec_zone_create_rrsigs (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
 Adds signatures to the zone.
ldns_status ldns_dnssec_zone_create_rrsigs_flg (ATTR_UNUSED(ldns_dnssec_zone *zone), ATTR_UNUSED(ldns_rr_list *new_rrs), ATTR_UNUSED(ldns_key_list *key_list), int(*func)(ldns_rr *, void *), void *arg, int flags)
ldns_status ldns_dnssec_zone_sign (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
 signs the given zone with the given keys
ldns_status ldns_dnssec_zone_sign_flg (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
 signs the given zone with the given keys
ldns_status ldns_dnssec_zone_sign_nsec3 (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 signs the given zone with the given new zone, with NSEC3
ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags, ldns_rbtree_t **map)
 signs the given zone with the given new zone, with NSEC3
ldns_status ldns_dnssec_zone_sign_nsec3_flg (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags)
 signs the given zone with the given new zone, with NSEC3
ldns_zoneldns_zone_sign (const ldns_zone *zone, ldns_key_list *key_list)
 Signs the zone, and returns a newly allocated signed zone.
ldns_zoneldns_zone_sign_nsec3 (ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Signs the zone with NSEC3, and returns a newly allocated signed zone.

Function Documentation

ldns_rdf* ldns_sign_public_buffer ( ldns_buffer sign_buf,
ldns_key key 
)

Sign the buffer which contains the wiredata of an rrset, and the corresponding empty rrsig rr with the given key.

Parameters:
[in]sign_bufthe buffer with data to sign
[in]keythe key to sign with
Returns:
an rdata field with the signature data

Definition at line 120 of file dnssec_sign.c.

References ldns_key_algorithm(), ldns_key_evp_key(), LDNS_SIGN_DSA, LDNS_SIGN_DSA_NSEC3, LDNS_SIGN_ECC_GOST, LDNS_SIGN_ECDSAP256SHA256, LDNS_SIGN_ECDSAP384SHA384, ldns_sign_public_evp(), LDNS_SIGN_RSAMD5, LDNS_SIGN_RSASHA1, LDNS_SIGN_RSASHA1_NSEC3, LDNS_SIGN_RSASHA256, and LDNS_SIGN_RSASHA512.

ldns_rdf* ldns_sign_public_dsa ( ldns_buffer to_sign,
DSA *  key 
)

Sign data with DSA.

Parameters:
[in]to_signThe ldns_buffer containing raw data that is to be signed
[in]keyThe DSA key structure to sign with
Returns:
ldns_rdf for the RRSIG ldns_rr

Definition at line 303 of file dnssec_sign.c.

References ldns_buffer_begin(), ldns_buffer_free(), ldns_buffer_new(), ldns_buffer_position(), LDNS_FREE, LDNS_MAX_PACKETLEN, ldns_rdf_new_frm_data(), LDNS_RDF_TYPE_B64, and LDNS_XMALLOC.

ldns_rdf* ldns_sign_public_evp ( ldns_buffer to_sign,
EVP_PKEY *  key,
const EVP_MD *  digest_type 
)
ldns_rdf* ldns_sign_public_rsasha1 ( ldns_buffer to_sign,
RSA *  key 
)
ldns_rdf* ldns_sign_public_rsamd5 ( ldns_buffer to_sign,
RSA *  key 
)

Marks the names in the zone that are occluded.

Those names will be skipped when walking the tree with the ldns_dnssec_name_node_next_nonglue() function. But watch out! Names that are partially occluded (like glue with the same name as the delegation) will not be marked and should specifically be taken into account seperately.

When glue_list is given (not NULL), in the process of marking the names, all glue resource records will be pushed to that list, even glue at delegation names.

Parameters:
[in]zonethe zone in which to mark the names
[in]glue_listthe list to which to push the glue rrs
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 576 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_struct_dnssec_name::is_glue, ldns_dname_is_subdomain(), ldns_dnssec_name_name(), ldns_dnssec_rrsets_contains_type(), ldns_rbtree_first(), ldns_rbtree_next(), LDNS_RBTREE_NULL, LDNS_RR_TYPE_DNAME, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, LDNS_STATUS_NULL, LDNS_STATUS_OK, ldns_struct_dnssec_zone::names, and ldns_struct_dnssec_name::rrsets.

Marks the names in the zone that are occluded.

Those names will be skipped when walking the tree with the ldns_dnssec_name_node_next_nonglue() function. But watch out! Names that are partially occluded (like glue with the same name as the delegation) will not be marked and should specifically be taken into account seperately.

Parameters:
[in]zonethe zone in which to mark the names
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 665 of file dnssec_sign.c.

References ldns_dnssec_zone_mark_and_get_glue().

Finds the first dnssec_name node in the rbtree that is not occluded.

It does return names that are partially occluded.

Parameters:
[in]nodethe first node to check
Returns:
the first node that has not been marked as glue, or NULL if not found (TODO: make that LDNS_RBTREE_NULL?)

Definition at line 671 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_struct_dnssec_name::is_glue, ldns_rbtree_next(), and LDNS_RBTREE_NULL.

Adds NSEC records to the given dnssec_zone.

Parameters:
[in]zonethe zone to add the records to
[in]new_rrsldns_rr's created by this function are added to this rr list, so the caller can free them later
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 697 of file dnssec_sign.c.

References ldns_rbnode_t::data, LDNS_DEFAULT_TTL, ldns_dnssec_create_nsec(), ldns_dnssec_name_add_rr(), ldns_dnssec_name_find_rrset(), ldns_dnssec_name_node_next_nonglue(), ldns_rbtree_first(), ldns_rbtree_next(), ldns_rdf2native_int32(), ldns_rr_free(), ldns_rr_list_push_rr(), ldns_rr_rdf(), ldns_rr_set_ttl(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_SOA, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_struct_dnssec_zone::names, ldns_struct_dnssec_rrs::rr, ldns_struct_dnssec_rrsets::rrs, and ldns_struct_dnssec_zone::soa.

int ldns_dname_compare_v ( const void *  a,
const void *  b 
)

Definition at line 821 of file dnssec_zone.c.

References ldns_dname_compare().

ldns_status ldns_dnssec_zone_create_nsec3s_mkmap ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
ldns_rbtree_t **  map 
)
ldns_status ldns_dnssec_zone_create_nsec3s ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Adds NSEC3 records to the zone.

Definition at line 876 of file dnssec_sign.c.

References ldns_dnssec_zone_create_nsec3s_mkmap().

ldns_dnssec_rrs* ldns_dnssec_remove_signatures ( ldns_dnssec_rrs signatures,
ATTR_UNUSED(ldns_key_list *key_list)  ,
int(*)(ldns_rr *, void *)  func,
void *  arg 
)
ldns_status ldns_dnssec_zone_create_rrsigs ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg 
)

Adds signatures to the zone.

Parameters:
[in]zonethe zone to add RRSIG Resource Records to
[in]new_rrsthe RRSIG RRs that are created are also added to this list, so the caller can free them later
[in]key_listlist of keys to sign with.
[in]funcCallback function to decide what keys to use and what to do with old signatures
[in]argOptional argument for the callback function
Returns:
LDNS_STATUS_OK on success, error otherwise

Definition at line 978 of file dnssec_sign.c.

References ldns_dnssec_zone_create_rrsigs_flg().

ldns_status ldns_dnssec_zone_create_rrsigs_flg ( ATTR_UNUSED(ldns_dnssec_zone *zone)  ,
ATTR_UNUSED(ldns_rr_list *new_rrs)  ,
ATTR_UNUSED(ldns_key_list *key_list)  ,
int(*)(ldns_rr *, void *)  func,
void *  arg,
int  flags 
)
ldns_status ldns_dnssec_zone_sign ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg 
)

signs the given zone with the given keys

Parameters:
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: LDNS_SIGNATURE_LEAVE_ADD_NEW: leave the signature and add a new one for the corresponding key LDNS_SIGNATURE_REMOVE_ADD_NEW: remove the signature and replace is with a new one from the same key LDNS_SIGNATURE_LEAVE_NO_ADD: leave the signature and do not add a new one with the corresponding key LDNS_SIGNATURE_REMOVE_NO_ADD: remove the signature and do not replace
[in]argoptional argument for the callback function
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1165 of file dnssec_sign.c.

References ldns_dnssec_zone_sign_flg().

ldns_status ldns_dnssec_zone_sign_flg ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
int  flags 
)

signs the given zone with the given keys

Parameters:
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: LDNS_SIGNATURE_LEAVE_ADD_NEW: leave the signature and add a new one for the corresponding key LDNS_SIGNATURE_REMOVE_ADD_NEW: remove the signature and replace is with a new one from the same key LDNS_SIGNATURE_LEAVE_NO_ADD: leave the signature and do not add a new one with the corresponding key LDNS_SIGNATURE_REMOVE_NO_ADD: remove the signature and do not replace
[in]argoptional argument for the callback function
[in]flagsoption flags for signing process. 0 makes DNSKEY RRset signed with the minimal key set, that is only SEP keys are used for signing. If there are no SEP keys available, non-SEP keys will be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all keys. 0 is the default.
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1175 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_dnssec_zone_create_nsecs(), ldns_dnssec_zone_create_rrsigs_flg(), ldns_dnssec_zone_mark_glue(), LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_struct_dnssec_zone::names, and ldns_rbtree_t::root.

ldns_status ldns_dnssec_zone_sign_nsec3 ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

signs the given zone with the given new zone, with NSEC3

Parameters:
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures
[in]argoptional argument for the callback function
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1213 of file dnssec_sign.c.

References ldns_dnssec_zone_sign_nsec3_flg_mkmap().

ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
int  signflags,
ldns_rbtree_t **  map 
)

signs the given zone with the given new zone, with NSEC3

Parameters:
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures
[in]argoptional argument for the callback function
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
[in]signflagsoption flags for signing process. 0 is the default.
[out]mapa referenced rbtree pointer variable. The newly created rbtree will contain mappings from hashed owner names to the unhashed name.
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1230 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_dnssec_zone_add_empty_nonterminals(), ldns_dnssec_zone_add_rr(), ldns_dnssec_zone_create_nsec3s_mkmap(), ldns_dnssec_zone_create_rrsigs_flg(), ldns_dnssec_zone_find_rrset(), ldns_dnssec_zone_mark_glue(), ldns_nsec3_add_param_rdfs(), ldns_rdf_clone(), ldns_rdf_data(), ldns_rr_get_type(), ldns_rr_list_push_rr(), ldns_rr_new_frm_type(), ldns_rr_rdf(), ldns_rr_set_owner(), LDNS_RR_TYPE_NSEC3, LDNS_RR_TYPE_NSEC3PARAM, ldns_set_bit(), LDNS_STATUS_OK, ldns_struct_dnssec_name::name, ldns_struct_dnssec_zone::names, ldns_rbtree_t::root, and ldns_struct_dnssec_zone::soa.

ldns_status ldns_dnssec_zone_sign_nsec3_flg ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
int  signflags 
)

signs the given zone with the given new zone, with NSEC3

Parameters:
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures
[in]argoptional argument for the callback function
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
[in]signflagsoption flags for signing process. 0 is the default.
Returns:
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1315 of file dnssec_sign.c.

References ldns_dnssec_zone_sign_nsec3_flg_mkmap().

ldns_zone* ldns_zone_sign ( const ldns_zone zone,
ldns_key_list key_list 
)
ldns_zone* ldns_zone_sign_nsec3 ( ldns_zone zone,
ldns_key_list key_list,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Signs the zone with NSEC3, and returns a newly allocated signed zone.

Parameters:
[in]zonethe zone to sign
[in]key_listlist of keys to sign with
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
Returns:
signed zone

Definition at line 1374 of file dnssec_sign.c.

References ldns_dnssec_default_replace_signatures(), ldns_dnssec_zone_add_rr(), ldns_dnssec_zone_free(), ldns_dnssec_zone_new(), ldns_dnssec_zone_sign_nsec3(), ldns_rr_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_zone_new(), ldns_zone_push_rr(), ldns_zone_rrs(), ldns_zone_set_soa(), and ldns_zone_soa().