dnssec_sign.h File Reference

Go to the source code of this file.

Macros

#define LDNS_SIGN_DNSKEY_WITH_ZSK   1
 dnssec_verify More...
 
#define LDNS_SIGN_WITH_ALL_ALGORITHMS   2
 
#define LDNS_SIGN_NO_KEYS_NO_NSECS   4
 
#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384   8
 
#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512   16
 

Functions

ldns_rrldns_create_empty_rrsig (const ldns_rr_list *rrset, const ldns_key *key)
 Create an empty RRSIG RR (i.e. More...
 
ldns_rdfldns_sign_public_buffer (ldns_buffer *sign_buf, ldns_key *key)
 Sign the buffer which contains the wiredata of an rrset, and the corresponding empty rrsig rr with the given key. More...
 
ldns_rr_listldns_sign_public (ldns_rr_list *rrset, ldns_key_list *keys)
 Sign an rrset. More...
 
ldns_rdfldns_sign_public_dsa (ldns_buffer *to_sign, DSA *key)
 Sign a buffer with the DSA key (hash with SHA1) More...
 
ldns_rdfldns_sign_public_evp (ldns_buffer *to_sign, EVP_PKEY *key, const EVP_MD *digest_type)
 Sign data with EVP (general method for different algorithms) More...
 
ldns_rdfldns_sign_public_rsasha1 (ldns_buffer *to_sign, RSA *key)
 Sign a buffer with the RSA key (hash with SHA1) More...
 
ldns_rdfldns_sign_public_rsamd5 (ldns_buffer *to_sign, RSA *key)
 Sign a buffer with the RSA key (hash with MD5) More...
 
ldns_status ldns_dnssec_zone_mark_and_get_glue (ldns_dnssec_zone *zone, ldns_rr_list *glue_list)
 Marks the names in the zone that are occluded. More...
 
ldns_status ldns_dnssec_zone_mark_glue (ldns_dnssec_zone *zone)
 Marks the names in the zone that are occluded. More...
 
ldns_rbnode_tldns_dnssec_name_node_next_nonglue (ldns_rbnode_t *node)
 Finds the first dnssec_name node in the rbtree that is not occluded. More...
 
ldns_status ldns_dnssec_zone_create_nsecs (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs)
 Adds NSEC records to the given dnssec_zone. More...
 
ldns_status ldns_dnssec_zone_create_nsec3s (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Adds NSEC3 records to the zone. More...
 
ldns_dnssec_rrsldns_dnssec_remove_signatures (ldns_dnssec_rrs *signatures, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
 remove signatures if callback function tells to More...
 
ldns_status ldns_dnssec_zone_create_rrsigs_flg (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
 Adds signatures to the zone. More...
 
ldns_status ldns_dnssec_zone_create_rrsigs (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
 Adds signatures to the zone. More...
 
ldns_status ldns_dnssec_zone_sign_flg (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, int flags)
 signs the given zone with the given keys More...
 
ldns_status ldns_dnssec_zone_sign_nsec3_flg (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags)
 signs the given zone with the given new zone, with NSEC3 More...
 
ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt, int signflags, ldns_rbtree_t **map)
 signs the given zone with the given new zone, with NSEC3 More...
 
ldns_status ldns_dnssec_zone_sign (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg)
 signs the given zone with the given keys More...
 
ldns_status ldns_dnssec_zone_sign_nsec3 (ldns_dnssec_zone *zone, ldns_rr_list *new_rrs, ldns_key_list *key_list, int(*func)(ldns_rr *, void *), void *arg, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 signs the given zone with the given new zone, with NSEC3 More...
 
ldns_zoneldns_zone_sign (const ldns_zone *zone, ldns_key_list *key_list)
 Signs the zone, and returns a newly allocated signed zone. More...
 
ldns_zoneldns_zone_sign_nsec3 (ldns_zone *zone, ldns_key_list *key_list, uint8_t algorithm, uint8_t flags, uint16_t iterations, uint8_t salt_length, uint8_t *salt)
 Signs the zone with NSEC3, and returns a newly allocated signed zone. More...
 

Macro Definition Documentation

◆ LDNS_SIGN_DNSKEY_WITH_ZSK

#define LDNS_SIGN_DNSKEY_WITH_ZSK   1

dnssec_verify

Sign flag that makes DNSKEY type signed by all keys, not only by SEP keys

Definition at line 15 of file dnssec_sign.h.

◆ LDNS_SIGN_WITH_ALL_ALGORITHMS

#define LDNS_SIGN_WITH_ALL_ALGORITHMS   2

Definition at line 16 of file dnssec_sign.h.

◆ LDNS_SIGN_NO_KEYS_NO_NSECS

#define LDNS_SIGN_NO_KEYS_NO_NSECS   4

Definition at line 17 of file dnssec_sign.h.

◆ LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384

#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA384   8

Definition at line 18 of file dnssec_sign.h.

◆ LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512

#define LDNS_SIGN_WITH_ZONEMD_SIMPLE_SHA512   16

Definition at line 19 of file dnssec_sign.h.

Function Documentation

◆ ldns_create_empty_rrsig()

◆ ldns_sign_public_buffer()

ldns_rdf* ldns_sign_public_buffer ( ldns_buffer sign_buf,
ldns_key key 
)

Sign the buffer which contains the wiredata of an rrset, and the corresponding empty rrsig rr with the given key.

Parameters
[in]sign_bufthe buffer with data to sign
[in]keythe key to sign with
Returns
an rdata field with the signature data

Definition at line 128 of file dnssec_sign.c.

References ldns_key_algorithm(), ldns_key_evp_key(), LDNS_SIGN_DSA, LDNS_SIGN_DSA_NSEC3, LDNS_SIGN_ECC_GOST, LDNS_SIGN_ECDSAP256SHA256, LDNS_SIGN_ECDSAP384SHA384, LDNS_SIGN_ED25519, LDNS_SIGN_ED448, ldns_sign_public_evp(), LDNS_SIGN_RSAMD5, LDNS_SIGN_RSASHA1, LDNS_SIGN_RSASHA1_NSEC3, LDNS_SIGN_RSASHA256, and LDNS_SIGN_RSASHA512.

◆ ldns_sign_public()

◆ ldns_sign_public_dsa()

ldns_rdf* ldns_sign_public_dsa ( ldns_buffer to_sign,
DSA *  key 
)

Sign a buffer with the DSA key (hash with SHA1)

Parameters
[in]to_signThe ldns_buffer containing raw data that is to be signed
[in]keyThe DSA key structure to sign with
Returns
a ldns_rdf for the RRSIG ldns_rr

Definition at line 332 of file dnssec_sign.c.

References ldns_buffer_new(), LDNS_MAX_PACKETLEN, and R.

◆ ldns_sign_public_evp()

ldns_rdf* ldns_sign_public_evp ( ldns_buffer to_sign,
EVP_PKEY *  key,
const EVP_MD *  digest_type 
)

Sign data with EVP (general method for different algorithms)

Parameters
[in]to_signThe ldns_buffer containing raw data that is to be signed
[in]keyThe EVP_PKEY key structure to sign with
[in]digest_typeThe digest algorithm to use in the creation of the signature
Returns
ldns_rdf for the RRSIG ldns_rr

Definition at line 443 of file dnssec_sign.c.

References ldns_buffer_free(), ldns_buffer_new(), and LDNS_MAX_PACKETLEN.

◆ ldns_sign_public_rsasha1()

ldns_rdf* ldns_sign_public_rsasha1 ( ldns_buffer to_sign,
RSA *  key 
)

Sign a buffer with the RSA key (hash with SHA1)

Parameters
[in]to_signbuffer with the data
[in]keythe key to use
Returns
a ldns_rdf with the signed data

Definition at line 572 of file dnssec_sign.c.

References ldns_buffer_new(), and LDNS_MAX_PACKETLEN.

◆ ldns_sign_public_rsamd5()

ldns_rdf* ldns_sign_public_rsamd5 ( ldns_buffer to_sign,
RSA *  key 
)

Sign a buffer with the RSA key (hash with MD5)

Parameters
[in]to_signbuffer with the data
[in]keythe key to use
Returns
a ldns_rdf with the signed data

Definition at line 608 of file dnssec_sign.c.

References ldns_buffer_new(), and LDNS_MAX_PACKETLEN.

◆ ldns_dnssec_zone_mark_and_get_glue()

ldns_status ldns_dnssec_zone_mark_and_get_glue ( ldns_dnssec_zone zone,
ldns_rr_list glue_list 
)

Marks the names in the zone that are occluded.

Those names will be skipped when walking the tree with the ldns_dnssec_name_node_next_nonglue() function. But watch out! Names that are partially occluded (like glue with the same name as the delegation) will not be marked and should specifically be taken into account separately.

When glue_list is given (not NULL), in the process of marking the names, all glue resource records will be pushed to that list, even glue at the delegation name.

Parameters
[in]zonethe zone in which to mark the names
[in]glue_listthe list to which to push the glue rrs
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 672 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_dname_is_subdomain(), ldns_dnssec_name_name(), ldns_dnssec_rrsets_contains_type(), ldns_rbtree_first(), ldns_rbtree_next(), LDNS_RBTREE_NULL, LDNS_RR_TYPE_SOA, LDNS_STATUS_NULL, ldns_struct_dnssec_zone::names, and ldns_struct_dnssec_name::rrsets.

◆ ldns_dnssec_zone_mark_glue()

ldns_status ldns_dnssec_zone_mark_glue ( ldns_dnssec_zone zone)

Marks the names in the zone that are occluded.

Those names will be skipped when walking the tree with the ldns_dnssec_name_node_next_nonglue() function. But watch out! Names that are partially occluded (like glue with the same name as the delegation) will not be marked and should specifically be taken into account separately.

Parameters
[in]zonethe zone in which to mark the names
Returns
LDNS_STATUS_OK on successful completion, an error code otherwise

Definition at line 751 of file dnssec_sign.c.

References ldns_dnssec_zone_mark_and_get_glue().

◆ ldns_dnssec_name_node_next_nonglue()

ldns_rbnode_t* ldns_dnssec_name_node_next_nonglue ( ldns_rbnode_t node)

Finds the first dnssec_name node in the rbtree that is not occluded.

It does return names that are partially occluded.

Parameters
[in]nodethe first node to check
Returns
the first node that has not been marked as glue, or NULL if not found (TODO: make that LDNS_RBTREE_NULL?)

Definition at line 757 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_struct_dnssec_name::is_glue, ldns_rbtree_next(), and LDNS_RBTREE_NULL.

◆ ldns_dnssec_zone_create_nsecs()

ldns_status ldns_dnssec_zone_create_nsecs ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs 
)

Adds NSEC records to the given dnssec_zone.

Parameters
[in]zonethe zone to add the records to
[in]new_rrsldns_rr's created by this function are added to this rr list, so the caller can free them later
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 783 of file dnssec_sign.c.

References ldns_rbnode_t::data, LDNS_DEFAULT_TTL, ldns_dnssec_create_nsec(), ldns_dnssec_name_add_rr(), ldns_dnssec_name_find_rrset(), ldns_dnssec_name_node_next_nonglue(), ldns_rbtree_first(), ldns_rbtree_next(), ldns_rdf2native_int32(), ldns_rr_free(), ldns_rr_list_push_rr(), ldns_rr_rdf(), ldns_rr_set_ttl(), ldns_rr_ttl(), LDNS_RR_TYPE_NSEC, LDNS_RR_TYPE_SOA, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_struct_dnssec_zone::names, ldns_struct_dnssec_rrs::rr, ldns_struct_dnssec_rrsets::rrs, and ldns_struct_dnssec_zone::soa.

◆ ldns_dnssec_zone_create_nsec3s()

ldns_status ldns_dnssec_zone_create_nsec3s ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Adds NSEC3 records to the zone.

Definition at line 1004 of file dnssec_sign.c.

◆ ldns_dnssec_remove_signatures()

ldns_dnssec_rrs* ldns_dnssec_remove_signatures ( ldns_dnssec_rrs signatures,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg 
)

remove signatures if callback function tells to

Parameters
[in]signatureslist of signatures to check, and possibly remove, depending on the value of the callback
[in]key_listthese are marked to be used or not, on the return value of the callback
[in]functhis function is called to specify what to do with each signature (and corresponding key)
[in]argOptional argument for the callback function
Returns
pointer to the new signatures rrs (the original passed to this function may have been removed)

◆ ldns_dnssec_zone_create_rrsigs_flg()

ldns_status ldns_dnssec_zone_create_rrsigs_flg ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
int  flags 
)

Adds signatures to the zone.

Parameters
[in]zonethe zone to add RRSIG Resource Records to
[in]new_rrsthe RRSIG RRs that are created are also added to this list, so the caller can free them later
[in]key_listlist of keys to sign with.
[in]funcCallback function to decide what keys to use and what to do with old signatures
[in]argOptional argument for the callback function
[in]flagsoption flags for signing process. 0 makes DNSKEY RRset signed with the minimal key set, that is only SEP keys are used for signing. If there are no SEP keys available, non-SEP keys will be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all keys. 0 is the default.
Returns
LDNS_STATUS_OK on success, error otherwise

Definition at line 1215 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_struct_dnssec_name::is_glue, ldns_dnssec_remove_signatures(), ldns_dnssec_rrsets_contains_type(), ldns_key2rr(), ldns_key_list_key(), ldns_key_list_key_count(), ldns_key_list_set_use(), ldns_rbtree_first(), LDNS_RBTREE_NULL, ldns_rr_list_new(), ldns_rr_list_push_rr(), LDNS_RR_TYPE_CDNSKEY, LDNS_RR_TYPE_CDS, LDNS_RR_TYPE_DNSKEY, LDNS_RR_TYPE_NS, LDNS_RR_TYPE_SOA, LDNS_SIGN_DNSKEY_WITH_ZSK, LDNS_STATUS_OK, ldns_struct_dnssec_zone::names, ldns_struct_dnssec_name::rrsets, ldns_struct_dnssec_rrsets::signatures, and ldns_struct_dnssec_rrsets::type.

◆ ldns_dnssec_zone_create_rrsigs()

ldns_status ldns_dnssec_zone_create_rrsigs ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg 
)

Adds signatures to the zone.

Parameters
[in]zonethe zone to add RRSIG Resource Records to
[in]new_rrsthe RRSIG RRs that are created are also added to this list, so the caller can free them later
[in]key_listlist of keys to sign with.
[in]funcCallback function to decide what keys to use and what to do with old signatures
[in]argOptional argument for the callback function
Returns
LDNS_STATUS_OK on success, error otherwise

Definition at line 1110 of file dnssec_sign.c.

References ldns_dnssec_zone_create_rrsigs_flg().

◆ ldns_dnssec_zone_sign_flg()

ldns_status ldns_dnssec_zone_sign_flg ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
int  flags 
)

signs the given zone with the given keys

Parameters
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: LDNS_SIGNATURE_LEAVE_ADD_NEW: leave the signature and add a new one for the corresponding key LDNS_SIGNATURE_REMOVE_ADD_NEW: remove the signature and replace is with a new one from the same key LDNS_SIGNATURE_LEAVE_NO_ADD: leave the signature and do not add a new one with the corresponding key LDNS_SIGNATURE_REMOVE_NO_ADD: remove the signature and do not replace
[in]argoptional argument for the callback function
[in]flagsoption flags for signing process. 0 makes DNSKEY RRset signed with the minimal key set, that is only SEP keys are used for signing. If there are no SEP keys available, non-SEP keys will be used. LDNS_SIGN_DNSKEY_WITH_ZSK makes DNSKEY type signed with all keys. 0 is the default.
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1373 of file dnssec_sign.c.

References ldns_rbnode_t::data, dnssec_zone_equip_zonemd(), ldns_dnssec_zone_create_nsecs(), ldns_dnssec_zone_create_rrsigs_flg(), ldns_dnssec_zone_mark_glue(), ldns_key_list_key_count(), LDNS_RR_TYPE_ZONEMD, LDNS_SIGN_NO_KEYS_NO_NSECS, LDNS_SIGN_WITH_ZONEMD, LDNS_STATUS_ERR, LDNS_STATUS_OK, ldns_struct_dnssec_zone::names, ldns_struct_dnssec_rrsets::next, ldns_rbtree_t::root, ldns_struct_dnssec_rrsets::rrs, ldns_struct_dnssec_name::rrsets, ldns_struct_dnssec_rrsets::signatures, ldns_struct_dnssec_zone::soa, and ldns_struct_dnssec_rrsets::type.

◆ ldns_dnssec_zone_sign_nsec3_flg()

ldns_status ldns_dnssec_zone_sign_nsec3_flg ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
int  signflags 
)

signs the given zone with the given new zone, with NSEC3

Parameters
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures
[in]argoptional argument for the callback function
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
[in]signflagsoption flags for signing process. 0 is the default.
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1583 of file dnssec_sign.c.

References ldns_dnssec_zone_sign_nsec3_flg_mkmap().

◆ ldns_dnssec_zone_sign_nsec3_flg_mkmap()

ldns_status ldns_dnssec_zone_sign_nsec3_flg_mkmap ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt,
int  signflags,
ldns_rbtree_t **  map 
)

signs the given zone with the given new zone, with NSEC3

Parameters
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures
[in]argoptional argument for the callback function
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
[in]signflagsoption flags for signing process. 0 is the default.
[out]mapa referenced rbtree pointer variable. The newly created rbtree will contain mappings from hashed owner names to the unhashed name.
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1460 of file dnssec_sign.c.

References ldns_rbnode_t::data, ldns_dnssec_zone_add_empty_nonterminals(), ldns_dnssec_zone_add_rr(), ldns_dnssec_zone_find_rrset(), ldns_dnssec_zone_mark_glue(), ldns_key_list_key_count(), ldns_nsec3_add_param_rdfs(), ldns_rdf_clone(), ldns_rdf_data(), ldns_rr_get_type(), ldns_rr_list_push_rr(), ldns_rr_new_frm_type(), ldns_rr_rdf(), ldns_rr_set_owner(), LDNS_RR_TYPE_NSEC3, LDNS_RR_TYPE_NSEC3PARAM, LDNS_RR_TYPE_ZONEMD, ldns_set_bit(), LDNS_SIGN_NO_KEYS_NO_NSECS, LDNS_SIGN_WITH_ZONEMD, LDNS_STATUS_OK, ldns_struct_dnssec_name::name, ldns_struct_dnssec_zone::names, ldns_struct_dnssec_rrsets::next, ldns_rbtree_t::root, ldns_struct_dnssec_rrsets::rrs, ldns_struct_dnssec_name::rrsets, ldns_struct_dnssec_rrsets::signatures, ldns_struct_dnssec_zone::soa, and ldns_struct_dnssec_rrsets::type.

◆ ldns_dnssec_zone_sign()

ldns_status ldns_dnssec_zone_sign ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg 
)

signs the given zone with the given keys

Parameters
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures This function takes an ldns_rr* and an optional void *arg argument, and returns one of four values: LDNS_SIGNATURE_LEAVE_ADD_NEW: leave the signature and add a new one for the corresponding key LDNS_SIGNATURE_REMOVE_ADD_NEW: remove the signature and replace is with a new one from the same key LDNS_SIGNATURE_LEAVE_NO_ADD: leave the signature and do not add a new one with the corresponding key LDNS_SIGNATURE_REMOVE_NO_ADD: remove the signature and do not replace
[in]argoptional argument for the callback function
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1361 of file dnssec_sign.c.

References ldns_dnssec_zone_sign_flg().

◆ ldns_dnssec_zone_sign_nsec3()

ldns_status ldns_dnssec_zone_sign_nsec3 ( ldns_dnssec_zone zone,
ldns_rr_list new_rrs,
ldns_key_list key_list,
int(*)(ldns_rr *, void *)  func,
void *  arg,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

signs the given zone with the given new zone, with NSEC3

Parameters
[in]zonethe zone to sign
[in]key_listthe list of keys to sign the zone with
[in]new_rrsnewly created resource records are added to this list, to free them later
[in]funccallback function that decides what to do with old signatures
[in]argoptional argument for the callback function
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
Returns
LDNS_STATUS_OK on success, an error code otherwise

Definition at line 1443 of file dnssec_sign.c.

References ldns_dnssec_zone_sign_nsec3_flg_mkmap().

◆ ldns_zone_sign()

ldns_zone* ldns_zone_sign ( const ldns_zone zone,
ldns_key_list key_list 
)

◆ ldns_zone_sign_nsec3()

ldns_zone* ldns_zone_sign_nsec3 ( ldns_zone zone,
ldns_key_list key_list,
uint8_t  algorithm,
uint8_t  flags,
uint16_t  iterations,
uint8_t  salt_length,
uint8_t *  salt 
)

Signs the zone with NSEC3, and returns a newly allocated signed zone.

Parameters
[in]zonethe zone to sign
[in]key_listlist of keys to sign with
[in]algorithmthe NSEC3 hashing algorithm to use
[in]flagsNSEC3 flags
[in]iterationsthe number of NSEC3 hash iterations to use
[in]salt_lengththe length (in octets) of the NSEC3 salt
[in]saltthe NSEC3 salt data
Returns
signed zone

Definition at line 1642 of file dnssec_sign.c.

References ldns_dnssec_default_replace_signatures(), ldns_dnssec_zone_add_rr(), ldns_dnssec_zone_free(), ldns_dnssec_zone_new(), ldns_dnssec_zone_sign_nsec3(), ldns_rr_clone(), ldns_rr_list_deep_free(), ldns_rr_list_new(), ldns_rr_list_push_rr(), ldns_rr_list_rr(), ldns_rr_list_rr_count(), ldns_zone_new(), ldns_zone_push_rr(), ldns_zone_rrs(), ldns_zone_set_soa(), and ldns_zone_soa().