dnssec_verify.h
Go to the documentation of this file.
1
3#ifndef LDNS_DNSSEC_VERIFY_H
4#define LDNS_DNSSEC_VERIFY_H
5
6#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS 10
7
8#include <ldns/dnssec.h>
9#include <ldns/host2str.h>
10
11#ifdef __cplusplus
12extern "C" {
13#endif
14
19typedef struct ldns_dnssec_data_chain_struct ldns_dnssec_data_chain;
30
35ldns_dnssec_data_chain *ldns_dnssec_data_chain_new(void);
36
42void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain);
43
50void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain);
51
58void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain);
59
67void ldns_dnssec_data_chain_print_fmt(FILE *out,
68 const ldns_output_format *fmt,
69 const ldns_dnssec_data_chain *chain);
70
86ldns_dnssec_data_chain *ldns_dnssec_build_data_chain(ldns_resolver *res,
87 const uint16_t qflags,
88 const ldns_rr_list *data_set,
89 const ldns_pkt *pkt,
90 ldns_rr *orig_rr);
91
121typedef struct ldns_dnssec_trust_tree_struct ldns_dnssec_trust_tree;
134
140ldns_dnssec_trust_tree *ldns_dnssec_trust_tree_new(void);
141
150void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree);
151
158size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree);
159
172void ldns_dnssec_trust_tree_print(FILE *out,
173 ldns_dnssec_trust_tree *tree,
174 size_t tabs,
175 bool extended);
176
190void ldns_dnssec_trust_tree_print_fmt(FILE *out,
191 const ldns_output_format *fmt,
192 ldns_dnssec_trust_tree *tree,
193 size_t tabs,
194 bool extended);
195
206ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree,
207 const ldns_dnssec_trust_tree *parent,
208 const ldns_rr *parent_signature,
209 const ldns_status parent_status);
210
222ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree(
223 ldns_dnssec_data_chain *data_chain,
224 ldns_rr *rr);
225
238ldns_dnssec_trust_tree *ldns_dnssec_derive_trust_tree_time(
239 ldns_dnssec_data_chain *data_chain,
240 ldns_rr *rr, time_t check_time);
241
249void ldns_dnssec_derive_trust_tree_normal_rrset(
250 ldns_dnssec_trust_tree *new_tree,
251 ldns_dnssec_data_chain *data_chain,
252 ldns_rr *cur_sig_rr);
253
262void ldns_dnssec_derive_trust_tree_normal_rrset_time(
263 ldns_dnssec_trust_tree *new_tree,
264 ldns_dnssec_data_chain *data_chain,
265 ldns_rr *cur_sig_rr, time_t check_time);
266
267
276void ldns_dnssec_derive_trust_tree_dnskey_rrset(
277 ldns_dnssec_trust_tree *new_tree,
278 ldns_dnssec_data_chain *data_chain,
279 ldns_rr *cur_rr,
280 ldns_rr *cur_sig_rr);
281
291void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(
292 ldns_dnssec_trust_tree *new_tree,
293 ldns_dnssec_data_chain *data_chain,
294 ldns_rr *cur_rr, ldns_rr *cur_sig_rr,
295 time_t check_time);
296
304void ldns_dnssec_derive_trust_tree_ds_rrset(
305 ldns_dnssec_trust_tree *new_tree,
306 ldns_dnssec_data_chain *data_chain,
307 ldns_rr *cur_rr);
308
317void ldns_dnssec_derive_trust_tree_ds_rrset_time(
318 ldns_dnssec_trust_tree *new_tree,
319 ldns_dnssec_data_chain *data_chain,
320 ldns_rr *cur_rr, time_t check_time);
321
329void ldns_dnssec_derive_trust_tree_no_sig(
330 ldns_dnssec_trust_tree *new_tree,
331 ldns_dnssec_data_chain *data_chain);
332
341void ldns_dnssec_derive_trust_tree_no_sig_time(
342 ldns_dnssec_trust_tree *new_tree,
343 ldns_dnssec_data_chain *data_chain,
344 time_t check_time);
345
346
358ldns_status ldns_dnssec_trust_tree_contains_keys(
359 ldns_dnssec_trust_tree *tree,
360 ldns_rr_list *keys);
361
373ldns_status ldns_verify(ldns_rr_list *rrset,
374 ldns_rr_list *rrsig,
375 const ldns_rr_list *keys,
376 ldns_rr_list *good_keys);
377
390ldns_status ldns_verify_time(const ldns_rr_list *rrset,
391 const ldns_rr_list *rrsig,
392 const ldns_rr_list *keys,
393 time_t check_time,
394 ldns_rr_list *good_keys);
395
396
409ldns_status ldns_verify_notime(ldns_rr_list *rrset,
410 ldns_rr_list *rrsig,
411 const ldns_rr_list *keys,
412 ldns_rr_list *good_keys);
413
428ldns_rr_list *ldns_fetch_valid_domain_keys(const ldns_resolver * res,
429 const ldns_rdf * domain,
430 const ldns_rr_list * keys,
431 ldns_status *status);
432
448ldns_rr_list *ldns_fetch_valid_domain_keys_time(const ldns_resolver * res,
449 const ldns_rdf * domain, const ldns_rr_list * keys,
450 time_t check_time, ldns_status *status);
451
452
463ldns_rr_list *ldns_validate_domain_dnskey (const ldns_resolver *res,
464 const ldns_rdf *domain,
465 const ldns_rr_list *keys);
466
478ldns_rr_list *ldns_validate_domain_dnskey_time(
479 const ldns_resolver *res, const ldns_rdf *domain,
480 const ldns_rr_list *keys, time_t check_time);
481
482
491ldns_rr_list *ldns_validate_domain_ds(const ldns_resolver *res,
492 const ldns_rdf *
493 domain,
494 const ldns_rr_list * keys);
495
505ldns_rr_list *ldns_validate_domain_ds_time(
506 const ldns_resolver *res, const ldns_rdf *domain,
507 const ldns_rr_list * keys, time_t check_time);
508
509
521ldns_status ldns_verify_trusted(ldns_resolver *res,
522 ldns_rr_list *rrset,
523 ldns_rr_list *rrsigs,
524 ldns_rr_list *validating_keys);
525
538ldns_status ldns_verify_trusted_time(
539 ldns_resolver *res, ldns_rr_list *rrset,
540 ldns_rr_list *rrsigs, time_t check_time,
541 ldns_rr_list *validating_keys);
542
543
554ldns_status ldns_dnssec_verify_denial(ldns_rr *rr,
555 ldns_rr_list *nsecs,
556 ldns_rr_list *rrsigs);
557
575ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr,
576 ldns_rr_list *nsecs,
577 ldns_rr_list *rrsigs,
578 ldns_pkt_rcode packet_rcode,
579 ldns_rr_type packet_qtype,
580 bool packet_nodata);
581
600ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr,
601 ldns_rr_list *nsecs,
602 ldns_rr_list *rrsigs,
603 ldns_pkt_rcode packet_rcode,
604 ldns_rr_type packet_qtype,
605 bool packet_nodata,
606 ldns_rr **match);
617ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf,
618 ldns_buffer *verify_buf,
619 ldns_buffer *key_buf,
620 uint8_t algo);
621
633ldns_status ldns_verify_rrsig_buffers_raw(unsigned char* sig,
634 size_t siglen,
635 ldns_buffer *verify_buf,
636 unsigned char* key,
637 size_t keylen,
638 uint8_t algo);
639
651ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset,
652 ldns_rr *rrsig,
653 const ldns_rr_list *keys,
654 ldns_rr_list *good_keys);
655
668ldns_status ldns_verify_rrsig_keylist_time(
669 const ldns_rr_list *rrset, const ldns_rr *rrsig,
670 const ldns_rr_list *keys, time_t check_time,
671 ldns_rr_list *good_keys);
672
673
685ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset,
686 const ldns_rr *rrsig,
687 const ldns_rr_list *keys,
688 ldns_rr_list *good_keys);
689
697ldns_status ldns_verify_rrsig(ldns_rr_list *rrset,
698 ldns_rr *rrsig,
699 ldns_rr *key);
700
701
710ldns_status ldns_verify_rrsig_time(
711 ldns_rr_list *rrset, ldns_rr *rrsig,
712 ldns_rr *key, time_t check_time);
713
714
715#if LDNS_BUILD_CONFIG_HAVE_SSL
725ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig,
726 ldns_buffer *rrset,
727 EVP_PKEY *key,
728 const EVP_MD *digest_type);
729
738ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig,
739 size_t siglen,
740 const ldns_buffer *rrset,
741 EVP_PKEY *key,
742 const EVP_MD *digest_type);
743#endif
744
753ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig,
754 ldns_buffer *rrset,
755 ldns_buffer *key);
756
765ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig,
766 ldns_buffer *rrset,
767 ldns_buffer *key);
768
777ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig,
778 ldns_buffer *rrset,
779 ldns_buffer *key);
780
789ldns_status ldns_verify_rrsig_dsa_raw(unsigned char* sig,
790 size_t siglen,
791 ldns_buffer* rrset,
792 unsigned char* key,
793 size_t keylen);
794
803ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char* sig,
804 size_t siglen,
805 ldns_buffer* rrset,
806 unsigned char* key,
807 size_t keylen);
808
818ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char* sig,
819 size_t siglen,
820 ldns_buffer* rrset,
821 unsigned char* key,
822 size_t keylen);
823
832ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char* sig,
833 size_t siglen,
834 ldns_buffer* rrset,
835 unsigned char* key,
836 size_t keylen);
837
846ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char* sig,
847 size_t siglen,
848 ldns_buffer* rrset,
849 unsigned char* key,
850 size_t keylen);
851
852#ifdef __cplusplus
853}
854#endif
855
856#endif
857
dnssec.h
This module contains base functions for DNSSEC operations (RFC4033 t/m RFC4035).
ldns_dnssec_trust_tree_contains_keys
ldns_status ldns_dnssec_trust_tree_contains_keys(ldns_dnssec_trust_tree *tree, ldns_rr_list *keys)
Returns OK if there is a trusted path in the tree to one of the DNSKEY or DS RRs in the given list.
Definition dnssec_verify.c:1049
ldns_dnssec_derive_trust_tree
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree(ldns_dnssec_data_chain *data_chain, ldns_rr *rr)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
Definition dnssec_verify.c:786
ldns_validate_domain_ds
ldns_rr_list * ldns_validate_domain_ds(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DS RRset for the given domain using the provided trusted keys.
Definition dnssec_verify.c:1418
ldns_verify_rrsig_buffers_raw
ldns_status ldns_verify_rrsig_buffers_raw(unsigned char *sig, size_t siglen, ldns_buffer *verify_buf, unsigned char *key, size_t keylen, uint8_t algo)
Like ldns_verify_rrsig_buffers, but uses raw data.
Definition dnssec_verify.c:2021
ldns_dnssec_data_chain_print
void ldns_dnssec_data_chain_print(FILE *out, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition dnssec_verify.c:91
ldns_dnssec_derive_trust_tree_dnskey_rrset_time
void ldns_dnssec_derive_trust_tree_dnskey_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
Definition dnssec_verify.c:883
ldns_validate_domain_dnskey_time
ldns_rr_list * ldns_validate_domain_dnskey_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
Definition dnssec_verify.c:1267
ldns_verify_rrsig_keylist_time
ldns_status ldns_verify_rrsig_keylist_time(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies an rrsig.
Definition dnssec_verify.c:2398
ldns_verify_notime
ldns_status ldns_verify_notime(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset, but disregard the time.
Definition dnssec_verify.c:1149
ldns_verify_rrsig_keylist
ldns_status ldns_verify_rrsig_keylist(ldns_rr_list *rrset, ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
Definition dnssec_verify.c:2442
ldns_verify_rrsig_rsasha256_raw
ldns_status ldns_verify_rrsig_rsasha256_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha256, but uses raw signature and key data.
Definition dnssec_verify.c:2735
ldns_fetch_valid_domain_keys_time
ldns_rr_list * ldns_fetch_valid_domain_keys_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
Definition dnssec_verify.c:1189
ldns_fetch_valid_domain_keys
ldns_rr_list * ldns_fetch_valid_domain_keys(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, ldns_status *status)
Tries to build an authentication chain from the given keys down to the queried domain.
Definition dnssec_verify.c:1257
ldns_verify_rrsig_rsasha1
ldns_status ldns_verify_rrsig_rsasha1(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSASHA1) for a buffer with rrset data with a buffer with key d...
Definition dnssec_verify.c:2660
ldns_dnssec_derive_trust_tree_dnskey_rrset
void ldns_dnssec_derive_trust_tree_dnskey_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for DNSKEY rrsets.
Definition dnssec_verify.c:920
ldns_verify_rrsig_keylist_notime
ldns_status ldns_verify_rrsig_keylist_notime(const ldns_rr_list *rrset, const ldns_rr *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies an rrsig.
Definition dnssec_verify.c:2452
ldns_dnssec_verify_denial
ldns_status ldns_dnssec_verify_denial(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs)
denial is not just a river in egypt
Definition dnssec_verify.c:1501
ldns_validate_domain_dnskey
ldns_rr_list * ldns_validate_domain_dnskey(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys)
Validates the DNSKEY RRset for the given domain using the provided trusted keys.
Definition dnssec_verify.c:1361
ldns_dnssec_build_data_chain
ldns_dnssec_data_chain * ldns_dnssec_build_data_chain(ldns_resolver *res, const uint16_t qflags, const ldns_rr_list *data_set, const ldns_pkt *pkt, ldns_rr *orig_rr)
Build an ldns_dnssec_data_chain, which contains all DNSSEC data that is needed to derive the trust tr...
Definition dnssec_verify.c:270
ldns_verify_rrsig_dsa_raw
ldns_status ldns_verify_rrsig_dsa_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_dsa, but uses raw signature and key data.
Definition dnssec_verify.c:2682
ldns_verify_trusted
ldns_status ldns_verify_trusted(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
Definition dnssec_verify.c:1489
ldns_verify_rrsig_rsamd5
ldns_status ldns_verify_rrsig_rsamd5(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (RSAMD5) for a buffer with rrset data with a buffer with key da...
Definition dnssec_verify.c:2671
ldns_verify_rrsig_buffers
ldns_status ldns_verify_rrsig_buffers(ldns_buffer *rawsig_buf, ldns_buffer *verify_buf, ldns_buffer *key_buf, uint8_t algo)
Verifies the already processed data in the buffers This function should probably not be used directly...
Definition dnssec_verify.c:2009
ldns_verify_rrsig
ldns_status ldns_verify_rrsig(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key)
verify an rrsig with 1 key
Definition dnssec_verify.c:2579
ldns_dnssec_derive_trust_tree_no_sig
void ldns_dnssec_derive_trust_tree_no_sig(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain)
Sub function for derive_trust_tree that is used when there are no signatures.
Definition dnssec_verify.c:1036
ldns_dnssec_derive_trust_tree_no_sig_time
void ldns_dnssec_derive_trust_tree_no_sig_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, time_t check_time)
Sub function for derive_trust_tree that is used when there are no signatures.
Definition dnssec_verify.c:983
ldns_dnssec_data_chain_deep_free
void ldns_dnssec_data_chain_deep_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure, and all data contained therein.
Definition dnssec_verify.c:45
ldns_verify_rrsig_rsasha1_raw
ldns_status ldns_verify_rrsig_rsasha1_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha1, but uses raw signature and key data.
Definition dnssec_verify.c:2713
ldns_verify_rrsig_rsasha512_raw
ldns_status ldns_verify_rrsig_rsasha512_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsasha512, but uses raw signature and key data.
Definition dnssec_verify.c:2770
ldns_verify_trusted_time
ldns_status ldns_verify_trusted_time(ldns_resolver *res, ldns_rr_list *rrset, ldns_rr_list *rrsigs, time_t check_time, ldns_rr_list *validating_keys)
Verifies a list of signatures for one RRset using a valid trust path.
Definition dnssec_verify.c:1426
ldns_dnssec_verify_denial_nsec3
ldns_status ldns_dnssec_verify_denial_nsec3(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata)
Denial of existence using NSEC3 records Since NSEC3 is a bit more complicated than normal denial,...
Definition dnssec_verify.c:1810
ldns_dnssec_trust_tree_add_parent
ldns_status ldns_dnssec_trust_tree_add_parent(ldns_dnssec_trust_tree *tree, const ldns_dnssec_trust_tree *parent, const ldns_rr *parent_signature, const ldns_status parent_status)
Adds a trust tree as a parent for the given trust tree.
Definition dnssec_verify.c:658
ldns_verify_rrsig_dsa
ldns_status ldns_verify_rrsig_dsa(ldns_buffer *sig, ldns_buffer *rrset, ldns_buffer *key)
verifies a buffer with signature data (DSA) for a buffer with rrset data with a buffer with key data.
Definition dnssec_verify.c:2649
LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
#define LDNS_DNSSEC_TRUST_TREE_MAX_PARENTS
dnssec_verify
Definition dnssec_verify.h:6
ldns_verify_rrsig_rsamd5_raw
ldns_status ldns_verify_rrsig_rsamd5_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, unsigned char *key, size_t keylen)
Like ldns_verify_rrsig_rsamd5, but uses raw signature and key data.
Definition dnssec_verify.c:2806
ldns_validate_domain_ds_time
ldns_rr_list * ldns_validate_domain_ds_time(const ldns_resolver *res, const ldns_rdf *domain, const ldns_rr_list *keys, time_t check_time)
Validates the DS RRset for the given domain using the provided trusted keys.
Definition dnssec_verify.c:1370
ldns_dnssec_data_chain_print_fmt
void ldns_dnssec_data_chain_print_fmt(FILE *out, const ldns_output_format *fmt, const ldns_dnssec_data_chain *chain)
Prints the dnssec_data_chain to the given file stream.
Definition dnssec_verify.c:56
ldns_verify_rrsig_evp_raw
ldns_status ldns_verify_rrsig_evp_raw(const unsigned char *sig, size_t siglen, const ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
Like ldns_verify_rrsig_evp, but uses raw signature data.
Definition dnssec_verify.c:2600
ldns_dnssec_trust_tree_new
ldns_dnssec_trust_tree * ldns_dnssec_trust_tree_new(void)
Creates a new (empty) dnssec_trust_tree structure.
Definition dnssec_verify.c:445
ldns_dnssec_data_chain_free
void ldns_dnssec_data_chain_free(ldns_dnssec_data_chain *chain)
Frees a dnssec_data_chain structure.
Definition dnssec_verify.c:39
ldns_verify_rrsig_time
ldns_status ldns_verify_rrsig_time(ldns_rr_list *rrset, ldns_rr *rrsig, ldns_rr *key, time_t check_time)
verify an rrsig with 1 key
Definition dnssec_verify.c:2536
ldns_dnssec_data_chain_new
ldns_dnssec_data_chain * ldns_dnssec_data_chain_new(void)
Creates a new dnssec_chain structure.
Definition dnssec_verify.c:19
ldns_verify_time
ldns_status ldns_verify_time(const ldns_rr_list *rrset, const ldns_rr_list *rrsig, const ldns_rr_list *keys, time_t check_time, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
Definition dnssec_verify.c:1098
ldns_dnssec_derive_trust_tree_ds_rrset
void ldns_dnssec_derive_trust_tree_ds_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr)
Sub function for derive_trust_tree that is used for DS rrsets.
Definition dnssec_verify.c:974
ldns_verify
ldns_status ldns_verify(ldns_rr_list *rrset, ldns_rr_list *rrsig, const ldns_rr_list *keys, ldns_rr_list *good_keys)
Verifies a list of signatures for one rrset.
Definition dnssec_verify.c:1142
ldns_dnssec_derive_trust_tree_normal_rrset
void ldns_dnssec_derive_trust_tree_normal_rrset(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
Definition dnssec_verify.c:874
ldns_dnssec_verify_denial_nsec3_match
ldns_status ldns_dnssec_verify_denial_nsec3_match(ldns_rr *rr, ldns_rr_list *nsecs, ldns_rr_list *rrsigs, ldns_pkt_rcode packet_rcode, ldns_rr_type packet_qtype, signed char packet_nodata, ldns_rr **match)
Same as ldns_status ldns_dnssec_verify_denial_nsec3 but also returns the nsec rr that matched.
ldns_dnssec_trust_tree_depth
size_t ldns_dnssec_trust_tree_depth(ldns_dnssec_trust_tree *tree)
returns the depth of the trust tree
Definition dnssec_verify.c:470
ldns_dnssec_derive_trust_tree_time
ldns_dnssec_trust_tree * ldns_dnssec_derive_trust_tree_time(ldns_dnssec_data_chain *data_chain, ldns_rr *rr, time_t check_time)
Generates a dnssec_trust_tree for the given rr from the given data_chain.
Definition dnssec_verify.c:685
ldns_dnssec_trust_tree_free
void ldns_dnssec_trust_tree_free(ldns_dnssec_trust_tree *tree)
Frees the dnssec_trust_tree recursively.
Definition dnssec_verify.c:458
ldns_verify_rrsig_evp
ldns_status ldns_verify_rrsig_evp(ldns_buffer *sig, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type)
verifies a buffer with signature data for a buffer with rrset data with an EVP_PKEY
Definition dnssec_verify.c:2586
ldns_dnssec_trust_tree_print_fmt
void ldns_dnssec_trust_tree_print_fmt(FILE *out, const ldns_output_format *fmt, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended)
Prints the dnssec_trust_tree structure to the given file stream.
Definition dnssec_verify.c:637
ldns_dnssec_derive_trust_tree_normal_rrset_time
void ldns_dnssec_derive_trust_tree_normal_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_sig_rr, time_t check_time)
Sub function for derive_trust_tree that is used for a 'normal' rrset.
Definition dnssec_verify.c:792
ldns_dnssec_derive_trust_tree_ds_rrset_time
void ldns_dnssec_derive_trust_tree_ds_rrset_time(ldns_dnssec_trust_tree *new_tree, ldns_dnssec_data_chain *data_chain, ldns_rr *cur_rr, time_t check_time)
Sub function for derive_trust_tree that is used for DS rrsets.
Definition dnssec_verify.c:930
ldns_dnssec_trust_tree_print
void ldns_dnssec_trust_tree_print(FILE *out, ldns_dnssec_trust_tree *tree, size_t tabs, signed char extended)
Prints the dnssec_trust_tree structure to the given file stream.
Definition dnssec_verify.c:647
ldns_status
enum ldns_enum_status ldns_status
Definition error.h:148
host2str.h
host2str.h - txt presentation of RRs
ldns_pkt_rcode
enum ldns_enum_pkt_rcode ldns_pkt_rcode
Definition packet.h:69
ldns_rr_type
enum ldns_enum_rr_type ldns_rr_type
Definition rr.h:251
ldns_dnssec_data_chain_struct
Definition dnssec_verify.h:21
ldns_dnssec_data_chain_struct::packet_rcode
ldns_pkt_rcode packet_rcode
Definition dnssec_verify.h:26
ldns_dnssec_data_chain_struct::parent_type
ldns_rr_type parent_type
Definition dnssec_verify.h:24
ldns_dnssec_data_chain_struct::signatures
ldns_rr_list * signatures
Definition dnssec_verify.h:23
ldns_dnssec_data_chain_struct::packet_qtype
ldns_rr_type packet_qtype
Definition dnssec_verify.h:27
ldns_dnssec_data_chain_struct::packet_nodata
signed char packet_nodata
Definition dnssec_verify.h:28
ldns_dnssec_data_chain_struct::rrset
ldns_rr_list * rrset
Definition dnssec_verify.h:22
ldns_dnssec_data_chain_struct::parent
ldns_dnssec_data_chain * parent
Definition dnssec_verify.h:25
ldns_dnssec_trust_tree_struct
Definition dnssec_verify.h:123
ldns_dnssec_trust_tree_struct::rrset
ldns_rr_list * rrset
Definition dnssec_verify.h:126
ldns_dnssec_trust_tree_struct::parent_count
size_t parent_count
Definition dnssec_verify.h:132
ldns_dnssec_trust_tree_struct::parents
ldns_dnssec_trust_tree * parents[10]
Definition dnssec_verify.h:127
ldns_dnssec_trust_tree_struct::parent_signature
ldns_rr * parent_signature[10]
for debugging, add signatures too (you might want those if they contain errors)
Definition dnssec_verify.h:131
ldns_dnssec_trust_tree_struct::rr
ldns_rr * rr
Definition dnssec_verify.h:124
ldns_dnssec_trust_tree_struct::parent_status
ldns_status parent_status[10]
Definition dnssec_verify.h:128
ldns_struct_buffer
implementation of buffers to ease operations
Definition buffer.h:51
ldns_struct_output_format
Output format specifier.
Definition host2str.h:89
ldns_struct_pkt
DNS packet.
Definition packet.h:235
ldns_struct_rdf
Resource record data field.
Definition rdata.h:197
ldns_struct_resolver
DNS stub resolver structure.
Definition resolver.h:60
ldns_struct_rr_list
List or Set of Resource Records.
Definition rr.h:346
ldns_struct_rr
Resource Record.
Definition rr.h:318