zone-sign.h 4.44 KB
Newer Older
Jan Kadlec's avatar
Jan Kadlec committed
1
/*  Copyright (C) 2013 CZ.NIC, z.s.p.o. <knot-dns@labs.nic.cz>
2 3 4 5 6 7 8 9 10 11 12 13 14 15

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
16 17 18 19
/*!
 * \file zone-sign.h
 *
 * \author Jan Vcelak <jan.vcelak@nic.cz>
Lubos Slovak's avatar
Lubos Slovak committed
20 21
 * \author Lubos Slovak <lubos.slovak@nic.cz>
 * \author Jan Kadlec <jan.kadlec@nic.cz>
22 23 24 25 26 27 28
 *
 * \brief Interface for DNSSEC signing of zones.
 *
 * \addtogroup dnssec
 * @{
 */

Jan Včelák's avatar
Jan Včelák committed
29
#pragma once
30

31
#include "knot/updates/changesets.h"
32
#include "knot/zone/zone.h"
33
#include "knot/zone/contents.h"
34
#include "knot/dnssec/context.h"
35
#include "knot/dnssec/zone-keys.h"
36

37 38 39 40 41
/*!
 * \brief Update zone signatures and store performed changes in changeset.
 *
 * Updates RRSIGs, NSEC(3)s, and DNSKEYs.
 *
Jan Kadlec's avatar
Jan Kadlec committed
42 43
 * \param zone        Zone to be signed.
 * \param zone_keys   Zone keys.
44
 * \param dnssec_ctx  DNSSEC context.
Jan Kadlec's avatar
Jan Kadlec committed
45
 * \param changeset   Changeset to be updated.
46
 * \param expire_at   Time, when the oldest signature in the zone expires.
47 48 49
 *
 * \return Error code, KNOT_EOK if successful.
 */
50
int knot_zone_sign(const zone_contents_t *zone,
51
                   zone_keyset_t *zone_keys,
52
                   const kdnssec_ctx_t *dnssec_ctx,
53
                   changeset_t *out_ch, uint32_t *expire_at);
54

55
/*!
56
 * \brief Update and sign SOA and store performed changes in changeset.
57
 *
58
 * \param zone       Zone including SOA to be updated.
59 60 61 62
 * \param zone_keys  Zone keys.
 * \param policy     DNSSEC policy.
 * \param changeset  Changeset to be updated.
 *
63
 * \return Error code, KNOT_EOK if successful.
64
 */
65
int knot_zone_sign_update_soa(const knot_rrset_t *soa, const knot_rrset_t *rrsigs,
Jan Včelák's avatar
Jan Včelák committed
66
                              const zone_keyset_t *zone_keys,
67 68
                              const kdnssec_ctx_t *dnssec_ctx,
                              changeset_t *changeset);
69

70
/*!
71
 * \brief Check if zone SOA signatures are expired.
72
 *
73
 * \param zone       Zone to be signed.
74 75 76 77
 * \param zone_keys  Zone keys.
 * \param policy     DNSSEC policy.
 * \param changeset  Changeset to be updated.
 *
78
 * \return True if zone SOA signatures need update, false othewise.
79
 */
80
bool knot_zone_sign_soa_expired(const zone_contents_t *zone,
Jan Včelák's avatar
Jan Včelák committed
81
                                const zone_keyset_t *zone_keys,
82
                                const kdnssec_ctx_t *dnssec_ctx);
Jan Kadlec's avatar
Jan Kadlec committed
83

84 85 86
/*!
 * \brief Sign changeset created by DDNS or zone-diff.
 *
87
 * \param zone New zone contents.
88 89 90 91 92 93 94
 * \param in_ch Changeset created bvy DDNS or zone-diff
 * \param out_ch New records will be added to this changeset.
 * \param zone_keys Keys to use for signing.
 * \param policy DNSSEC signing policy.
 *
 * \return Error code, KNOT_EOK if successful.
 */
95
int knot_zone_sign_changeset(const zone_contents_t *zone,
96 97
                             const changeset_t *in_ch,
                             changeset_t *out_ch,
Jan Včelák's avatar
Jan Včelák committed
98
                             const zone_keyset_t *zone_keys,
99
                             const kdnssec_ctx_t *dnssec_ctx);
100

101 102 103 104
/*!
 * \brief Sign NSEC/NSEC3 nodes in changeset and update the changeset.
 *
 * \param zone_keys  Zone keys.
105
 * \param dnssec_ctx DNSSEC context.
106 107 108 109
 * \param changeset  Changeset to be updated.
 *
 * \return Error code, KNOT_EOK if successful.
 */
Jan Včelák's avatar
Jan Včelák committed
110
int knot_zone_sign_nsecs_in_changeset(const zone_keyset_t *zone_keys,
111
                                      const kdnssec_ctx_t *dnssec_ctx,
112
                                      changeset_t *changeset);
113

114 115 116 117 118
/*!
 * \brief Checks whether RRSet in a node has to be signed. Will not return
 *        true for all types that should be signed, do not use this as an
 *        universal function, it is implementation specific.
 *
119 120 121
 * \param node         Node containing the RRSet.
 * \param rrset        RRSet we are checking for.
 * \param table        Optional hat trie with already signed RRs.
122
 *
123
 * \retval true if should be signed.
124
 */
125 126
bool knot_zone_sign_rr_should_be_signed(const zone_node_t *node,
                                        const knot_rrset_t *rrset);
127

128 129
bool knot_match_key_ds(zone_key_t *key, const knot_rdata_t *rdata);

130
/*! @} */