/* this will probably be moved to a better place in the library itself */
ldns_rr_list *
get_rrset(const ldns_zone *zone, const ldns_rdf *owner_name, const ldns_rr_type qtype, const ldns_rr_class qclass)
{
const char* result;
switch(qtype)
{
case LDNS_RR_TYPE_A:
result = rp_get_a_record(rp_handle, owner_name->_data);
break;
default:
result = 0;
}
if(!result)
{
return 0;
}
uint16_t i;
ldns_rr_list *rrlist = ldns_rr_list_new();
if (!zone || !owner_name) {
fprintf(stderr, "Warning: get_rrset called with NULL zone or owner name\n");
return rrlist;
}
ldns_rr* rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_A);
ldns_rr_set_owner(rr, ldns_rdf_clone(owner_name));
ldns_rdf* rdf = ldns_rdf_new_frm_str(LDNS_RDF_TYPE_A, result);
ldns_rr_push_rdf(rr, rdf);
ldns_rr_list_push_rr(rrlist, ldns_rr_clone(rr));
return rrlist;
}
/**
* Publish the NSEC3 parameters as indicated by the signer configuration.
*
*/
ods_status
zone_publish_nsec3param(zone_type* zone)
{
rrset_type* rrset = NULL;
rr_type* n3prr = NULL;
ldns_rr* rr = NULL;
ods_status status = ODS_STATUS_OK;
if (!zone || !zone->name || !zone->db || !zone->signconf) {
return ODS_STATUS_ASSERT_ERR;
}
if (!zone->signconf->nsec3params) {
/* NSEC */
ods_log_assert(zone->signconf->nsec_type == LDNS_RR_TYPE_NSEC);
return ODS_STATUS_OK;
}
if (!zone->signconf->nsec3params->rr) {
rr = ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
if (!rr) {
ods_log_error("[%s] unable to publish nsec3params for zone %s: "
"error creating rr (%s)", zone_str, zone->name,
ods_status2str(status));
return ODS_STATUS_MALLOC_ERR;
}
ldns_rr_set_class(rr, zone->klass);
ldns_rr_set_ttl(rr, 0);
ldns_rr_set_owner(rr, ldns_rdf_clone(zone->apex));
ldns_nsec3_add_param_rdfs(rr,
zone->signconf->nsec3params->algorithm, 0,
zone->signconf->nsec3params->iterations,
zone->signconf->nsec3params->salt_len,
zone->signconf->nsec3params->salt_data);
/**
* Always set bit 7 of the flags to zero,
* according to rfc5155 section 11
*/
ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(rr, 1)), 7, 0);
zone->signconf->nsec3params->rr = rr;
}
ods_log_assert(zone->signconf->nsec3params->rr);
status = zone_add_rr(zone, zone->signconf->nsec3params->rr, 0);
if (status == ODS_STATUS_UNCHANGED) {
/* rr already exists, adjust pointer */
rrset = zone_lookup_rrset(zone, zone->apex, LDNS_RR_TYPE_NSEC3PARAMS);
ods_log_assert(rrset);
n3prr = rrset_lookup_rr(rrset, zone->signconf->nsec3params->rr);
ods_log_assert(n3prr);
if (n3prr->rr != zone->signconf->nsec3params->rr) {
ldns_rr_free(zone->signconf->nsec3params->rr);
}
zone->signconf->nsec3params->rr = n3prr->rr;
status = ODS_STATUS_OK;
} else if (status != ODS_STATUS_OK) {
ods_log_error("[%s] unable to publish nsec3params for zone %s: "
"error adding nsec3params (%s)", zone_str,
zone->name, ods_status2str(status));
}
return status;
}
ldns_status
ldns_dnssec_zone_sign_nsec3(ldns_dnssec_zone *zone,
ldns_rr_list *new_rrs,
ldns_key_list *key_list,
int (*func)(ldns_rr *, void *),
void *arg,
uint8_t algorithm,
uint8_t flags,
uint16_t iterations,
uint8_t salt_length,
uint8_t *salt)
{
ldns_rr *nsec3, *nsec3params;
ldns_status result = LDNS_STATUS_OK;
/* zone is already sorted */
ldns_dnssec_zone_mark_glue(zone);
/* TODO if there are already nsec3s presents and their
* parameters are the same as these, we don't have to recreate
*/
if (zone->names) {
/* add empty nonterminals */
ldns_dnssec_zone_add_empty_nonterminals(zone);
nsec3 = ((ldns_dnssec_name *)zone->names->root->data)->nsec;
if (nsec3 && ldns_rr_get_type(nsec3) == LDNS_RR_TYPE_NSEC3) {
/* no need to recreate */
} else {
if (!ldns_dnssec_zone_find_rrset(zone,
zone->soa->name,
LDNS_RR_TYPE_NSEC3PARAMS)) {
/* create and add the nsec3params rr */
nsec3params =
ldns_rr_new_frm_type(LDNS_RR_TYPE_NSEC3PARAMS);
ldns_rr_set_owner(nsec3params,
ldns_rdf_clone(zone->soa->name));
ldns_nsec3_add_param_rdfs(nsec3params,
algorithm,
flags,
iterations,
salt_length,
salt);
/* always set bit 7 of the flags to zero, according to
* rfc5155 section 11 */
ldns_set_bit(ldns_rdf_data(ldns_rr_rdf(nsec3params, 1)), 7, 0);
ldns_dnssec_zone_add_rr(zone, nsec3params);
ldns_rr_list_push_rr(new_rrs, nsec3params);
}
result = ldns_dnssec_zone_create_nsec3s(zone,
new_rrs,
algorithm,
flags,
iterations,
salt_length,
salt);
if (result != LDNS_STATUS_OK) {
return result;
}
}
result = ldns_dnssec_zone_create_rrsigs(zone,
new_rrs,
key_list,
func,
arg);
}
return result;
}
ldns_rr *
ldns_create_empty_rrsig(ldns_rr_list *rrset,
ldns_key *current_key)
{
uint32_t orig_ttl;
time_t now;
ldns_rr *current_sig;
uint8_t label_count;
label_count = ldns_dname_label_count(ldns_rr_owner(ldns_rr_list_rr(rrset,
0)));
current_sig = ldns_rr_new_frm_type(LDNS_RR_TYPE_RRSIG);
/* set the type on the new signature */
orig_ttl = ldns_rr_ttl(ldns_rr_list_rr(rrset, 0));
ldns_rr_set_ttl(current_sig, orig_ttl);
ldns_rr_set_owner(current_sig,
ldns_rdf_clone(
ldns_rr_owner(
ldns_rr_list_rr(rrset,
0))));
/* fill in what we know of the signature */
/* set the orig_ttl */
(void)ldns_rr_rrsig_set_origttl(
current_sig,
ldns_native2rdf_int32(LDNS_RDF_TYPE_INT32,
orig_ttl));
/* the signers name */
(void)ldns_rr_rrsig_set_signame(
current_sig,
ldns_rdf_clone(ldns_key_pubkey_owner(current_key)));
/* label count - get it from the first rr in the rr_list */
(void)ldns_rr_rrsig_set_labels(
current_sig,
ldns_native2rdf_int8(LDNS_RDF_TYPE_INT8,
label_count));
/* inception, expiration */
now = time(NULL);
if (ldns_key_inception(current_key) != 0) {
(void)ldns_rr_rrsig_set_inception(
current_sig,
ldns_native2rdf_int32(
LDNS_RDF_TYPE_TIME,
ldns_key_inception(current_key)));
} else {
(void)ldns_rr_rrsig_set_inception(
current_sig,
ldns_native2rdf_int32(LDNS_RDF_TYPE_TIME, now));
}
if (ldns_key_expiration(current_key) != 0) {
(void)ldns_rr_rrsig_set_expiration(
current_sig,
ldns_native2rdf_int32(
LDNS_RDF_TYPE_TIME,
ldns_key_expiration(current_key)));
} else {
(void)ldns_rr_rrsig_set_expiration(
current_sig,
ldns_native2rdf_int32(
LDNS_RDF_TYPE_TIME,
now + LDNS_DEFAULT_EXP_TIME));
}
(void)ldns_rr_rrsig_set_keytag(
current_sig,
ldns_native2rdf_int16(LDNS_RDF_TYPE_INT16,
ldns_key_keytag(current_key)));
(void)ldns_rr_rrsig_set_algorithm(
current_sig,
ldns_native2rdf_int8(
LDNS_RDF_TYPE_ALG,
ldns_key_algorithm(current_key)));
(void)ldns_rr_rrsig_set_typecovered(
current_sig,
ldns_native2rdf_int16(
LDNS_RDF_TYPE_TYPE,
ldns_rr_get_type(ldns_rr_list_rr(rrset,
0))));
return current_sig;
}
