/src/bind9/lib/dns/nsec.c

Source
/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

/*! \file */

#include <stdbool.h>

#include <isc/log.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>

#include <dns/db.h>
#include <dns/nsec.h>
#include <dns/rdata.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>

#include <dst/dst.h>

void
dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
  unsigned int shift, mask;

  shift = 7 - (type % 8);
  mask = 1 << shift;

  if (bit != 0) {
    array[type / 8] |= mask;
  } else {
    array[type / 8] &= (~mask & 0xFF);
  }
}

bool
dns_nsec_isset(const unsigned char *array, unsigned int type) {
  unsigned int byte, shift, mask;

  byte = array[type / 8];
  shift = 7 - (type % 8);
  mask = 1 << shift;

  return (byte & mask) != 0;
}

unsigned int
dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
      unsigned int max_type) {
  unsigned char *start = map;
  unsigned int window;
  int octet;

  if (raw == NULL) {
    return 0;
  }

  for (window = 0; window < 256; window++) {
    if (window * 256 > max_type) {
      break;
    }
    for (octet = 31; octet >= 0; octet--) {
      if (*(raw + octet) != 0) {
        break;
      }
    }
    if (octet < 0) {
      raw += 32;
      continue;
    }
    *map++ = window;
    *map++ = octet + 1;
    /*
     * Note: potential overlapping move.
     */
    memmove(map, raw, octet + 1);
    map += octet + 1;
    raw += 32;
  }
  return (unsigned int)(map - start);
}

isc_result_t
dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
        const dns_name_t *target, unsigned char *buffer,
        dns_rdata_t *rdata) {
  isc_region_t r;
  unsigned int i;
  unsigned char *nsec_bits, *bm;
  unsigned int max_type;
  dns_rdatasetiter_t *rdsiter;

  REQUIRE(target != NULL);

  memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
  dns_name_toregion(target, &r);
  memmove(buffer, r.base, r.length);
  r.base = buffer;
  /*
   * Use the end of the space for a raw bitmap leaving enough
   * space for the window identifiers and length octets.
   */
  bm = r.base + r.length + 512;
  nsec_bits = r.base + r.length;
  dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
  dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
  max_type = dns_rdatatype_nsec;
  rdsiter = NULL;
  RETERR(dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter));
  DNS_RDATASETITER_FOREACH(rdsiter) {
    dns_rdataset_t rdataset = DNS_RDATASET_INIT;
    dns_rdatasetiter_current(rdsiter, &rdataset);
    if (!dns_rdatatype_isnsec(rdataset.type) &&
        rdataset.type != dns_rdatatype_rrsig)
    {
      if (rdataset.type > max_type) {
        max_type = rdataset.type;
      }
      dns_nsec_setbit(bm, rdataset.type, 1);
    }
    dns_rdataset_disassociate(&rdataset);
  }
  dns_rdatasetiter_destroy(&rdsiter);

  /*
   * At zone cuts, deny the existence of glue in the parent zone.
   */
  if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
      !dns_nsec_isset(bm, dns_rdatatype_soa))
  {
    for (i = 0; i <= max_type; i++) {
      if (dns_nsec_isset(bm, i) &&
          !dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
      {
        dns_nsec_setbit(bm, i, 0);
      }
    }
  }

  nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);

  r.length = (unsigned int)(nsec_bits - r.base);
  INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
  dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec, &r);

  return ISC_R_SUCCESS;
}

isc_result_t
dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
         const dns_name_t *target, dns_ttl_t ttl) {
  isc_result_t result;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  unsigned char data[DNS_NSEC_BUFFERSIZE];
  dns_rdatalist_t rdatalist;
  dns_rdataset_t rdataset;

  dns_rdataset_init(&rdataset);
  dns_rdata_init(&rdata);

  CHECK(dns_nsec_buildrdata(db, version, node, target, data, &rdata));

  dns_rdatalist_init(&rdatalist);
  rdatalist.rdclass = dns_db_class(db);
  rdatalist.type = dns_rdatatype_nsec;
  rdatalist.ttl = ttl;
  ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
  dns_rdatalist_tordataset(&rdatalist, &rdataset);
  result = dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
  if (result == DNS_R_UNCHANGED) {
    result = ISC_R_SUCCESS;
  }

cleanup:
  dns_rdataset_cleanup(&rdataset);
  return result;
}

bool
dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
  dns_rdata_nsec_t nsecstruct;
  isc_result_t result;
  bool present;
  unsigned int i, len, window;

  REQUIRE(nsec != NULL);
  REQUIRE(nsec->type == dns_rdatatype_nsec);

  /* This should never fail */
  result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
  INSIST(result == ISC_R_SUCCESS);

  present = false;
  for (i = 0; i < nsecstruct.len; i += len) {
    INSIST(i + 2 <= nsecstruct.len);
    window = nsecstruct.typebits[i];
    len = nsecstruct.typebits[i + 1];
    INSIST(len > 0 && len <= 32);
    i += 2;
    INSIST(i + len <= nsecstruct.len);
    if (window * 256 > type) {
      break;
    }
    if ((window + 1) * 256 <= type) {
      continue;
    }
    if (type < (window * 256) + len * 8) {
      present = dns_nsec_isset(&nsecstruct.typebits[i],
             type % 256);
    }
    break;
  }
  dns_rdata_freestruct(&nsecstruct);
  return present;
}

isc_result_t
dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
      bool *answer) {
  dns_dbnode_t *node = NULL;
  dns_rdataset_t rdataset;
  dns_rdata_dnskey_t dnskey;
  isc_result_t result;

  REQUIRE(answer != NULL);

  dns_rdataset_init(&rdataset);

  RETERR(dns_db_getoriginnode(db, &node));

  result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
             0, &rdataset, NULL);
  dns_db_detachnode(&node);

  if (result == ISC_R_NOTFOUND) {
    *answer = false;
  }
  if (result != ISC_R_SUCCESS) {
    return result;
  }
  bool matched = false;
  DNS_RDATASET_FOREACH(&rdataset) {
    dns_rdata_t rdata = DNS_RDATA_INIT;

    dns_rdataset_current(&rdataset, &rdata);
    result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
    RUNTIME_CHECK(result == ISC_R_SUCCESS);

    if (dnskey.algorithm == DST_ALG_RSAMD5 ||
        dnskey.algorithm == DST_ALG_DSA ||
        dnskey.algorithm == DST_ALG_RSASHA1)
    {
      bool deleted = false;
      if (diff != NULL) {
        ISC_LIST_FOREACH(diff->tuples, tuple, link) {
          if (tuple->rdata.type !=
                dns_rdatatype_dnskey ||
              tuple->op != DNS_DIFFOP_DEL)
          {
            continue;
          }

          if (dns_rdata_compare(
                &rdata, &tuple->rdata) == 0)
          {
            deleted = true;
            break;
          }
        }
      }

      if (!deleted) {
        matched = true;
        break;
      }
    }
  }
  dns_rdataset_disassociate(&rdataset);
  *answer = matched;
  return ISC_R_SUCCESS;
}

/*%
 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
 * or we can determine whether there is data or not at the name.
 * If the name does not exist return the wildcard name.
 *
 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
 */
isc_result_t
dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
           const dns_name_t *nsecname, dns_rdataset_t *nsecset,
           bool *exists, bool *data, dns_name_t *wild,
           dns_nseclog_t logit, void *arg) {
  int order;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  isc_result_t result;
  dns_namereln_t relation;
  unsigned int olabels, nlabels, labels;
  dns_rdata_nsec_t nsec;
  bool atparent;
  bool ns;
  bool soa;

  REQUIRE(exists != NULL);
  REQUIRE(data != NULL);
  REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec);

  result = dns_rdataset_first(nsecset);
  if (result != ISC_R_SUCCESS) {
    (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
    return result;
  }
  dns_rdataset_current(nsecset, &rdata);

#ifdef notyet
  if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
      !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
  {
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "NSEC missing RRSIG and/or NSEC from type map");
    return ISC_R_IGNORE;
  }
#endif

  (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
  relation = dns_name_fullcompare(name, nsecname, &order, &olabels);

  if (order < 0) {
    /*
     * The name is not within the NSEC range.
     */
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "NSEC does not cover name, before NSEC");
    return ISC_R_IGNORE;
  }

  if (order == 0) {
    /*
     * The names are the same.   If we are validating "."
     * then atparent should not be set as there is no parent.
     */
    atparent = (olabels != 1) && dns_rdatatype_atparent(type);
    ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
    soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
    if (ns && !soa) {
      if (!atparent) {
        /*
         * This NSEC record is from somewhere higher in
         * the DNS, and at the parent of a delegation.
         * It can not be legitimately used here.
         */
        (*logit)(arg, ISC_LOG_DEBUG(3),
           "ignoring parent nsec");
        return ISC_R_IGNORE;
      }
    } else if (atparent && ns && soa) {
      /*
       * This NSEC record is from the child.
       * It can not be legitimately used here.
       */
      (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring child nsec");
      return ISC_R_IGNORE;
    }
    if (type == dns_rdatatype_cname || type == dns_rdatatype_nxt ||
        type == dns_rdatatype_nsec || type == dns_rdatatype_key ||
        !dns_nsec_typepresent(&rdata, dns_rdatatype_cname))
    {
      *exists = true;
      *data = dns_nsec_typepresent(&rdata, type);
      (*logit)(arg, ISC_LOG_DEBUG(3),
         "nsec proves name exists (owner) data=%d",
         *data);
      return ISC_R_SUCCESS;
    }
    (*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
    return ISC_R_IGNORE;
  }

  if (relation == dns_namereln_subdomain &&
      dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
      !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
  {
    /*
     * This NSEC record is from somewhere higher in
     * the DNS, and at the parent of a delegation or
     * at a DNAME.
     * It can not be legitimately used here.
     */
    (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
    return ISC_R_IGNORE;
  }

  if (relation == dns_namereln_subdomain &&
      dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
  {
    (*logit)(arg, ISC_LOG_DEBUG(3), "nsec proves covered by dname");
    *exists = false;
    return DNS_R_DNAME;
  }

  RETERR(dns_rdata_tostruct(&rdata, &nsec, NULL));
  relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
  if (order == 0) {
    dns_rdata_freestruct(&nsec);
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "ignoring nsec matches next name");
    return ISC_R_IGNORE;
  }

  if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
    /*
     * The name is not within the NSEC range.
     */
    dns_rdata_freestruct(&nsec);
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "ignoring nsec because name is past end of range");
    return ISC_R_IGNORE;
  }

  if (order > 0 && relation == dns_namereln_subdomain) {
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "nsec proves name exist (empty)");
    dns_rdata_freestruct(&nsec);
    *exists = true;
    *data = false;
    return ISC_R_SUCCESS;
  }
  if (wild != NULL) {
    dns_name_t common;
    dns_name_init(&common);
    if (olabels > nlabels) {
      labels = dns_name_countlabels(nsecname);
      dns_name_getlabelsequence(nsecname, labels - olabels,
              olabels, &common);
    } else {
      labels = dns_name_countlabels(&nsec.next);
      dns_name_getlabelsequence(&nsec.next, labels - nlabels,
              nlabels, &common);
    }
    result = dns_name_concatenate(dns_wildcardname, &common, wild);
    if (result != ISC_R_SUCCESS) {
      dns_rdata_freestruct(&nsec);
      (*logit)(arg, ISC_LOG_DEBUG(3),
         "failure generating wildcard name");
      return result;
    }
  }
  dns_rdata_freestruct(&nsec);
  (*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
  *exists = false;
  return ISC_R_SUCCESS;
}

bool
dns_nsec_requiredtypespresent(dns_rdataset_t *nsecset) {
  dns_rdataset_t rdataset = DNS_RDATASET_INIT;
  bool found = false;

  REQUIRE(DNS_RDATASET_VALID(nsecset));
  REQUIRE(nsecset->type == dns_rdatatype_nsec);

  dns_rdataset_clone(nsecset, &rdataset);

  DNS_RDATASET_FOREACH(&rdataset) {
    dns_rdata_t rdata = DNS_RDATA_INIT;
    dns_rdataset_current(&rdataset, &rdata);
    if (!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec) ||
        !dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig))
    {
      dns_rdataset_disassociate(&rdataset);
      return false;
    }
    found = true;
  }
  dns_rdataset_disassociate(&rdataset);
  return found;
}

Coverage Report

Created: 2026-01-10 06:27

Line	Count	Source
1		/*
2		* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3		*
4		* SPDX-License-Identifier: MPL-2.0
5		*
6		* This Source Code Form is subject to the terms of the Mozilla Public
7		* License, v. 2.0. If a copy of the MPL was not distributed with this
8		* file, you can obtain one at https://mozilla.org/MPL/2.0/.
9		*
10		* See the COPYRIGHT file distributed with this work for additional
11		* information regarding copyright ownership.
12		*/
13
14		/! \file /
15
16		#include <stdbool.h>
17
18		#include <isc/log.h>
19		#include <isc/result.h>
20		#include <isc/string.h>
21		#include <isc/util.h>
22
23		#include <dns/db.h>
24		#include <dns/nsec.h>
25		#include <dns/rdata.h>
26		#include <dns/rdatalist.h>
27		#include <dns/rdataset.h>
28		#include <dns/rdatasetiter.h>
29		#include <dns/rdatastruct.h>
30
31		#include <dst/dst.h>
32
33		void
34	0	dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
35	0	unsigned int shift, mask;
36
37	0	shift = 7 - (type % 8);
38	0	mask = 1 << shift;
39
40	0	if (bit != 0) {
41	0	array[type / 8] \|= mask;
42	0	} else {
43	0	array[type / 8] &= (~mask & 0xFF);
44	0	}
45	0	}
46
47		bool
48	0	dns_nsec_isset(const unsigned char *array, unsigned int type) {
49	0	unsigned int byte, shift, mask;
50
51	0	byte = array[type / 8];
52	0	shift = 7 - (type % 8);
53	0	mask = 1 << shift;
54
55	0	return (byte & mask) != 0;
56	0	}
57
58		unsigned int
59		dns_nsec_compressbitmap(unsigned char map, const unsigned char raw,
60	0	unsigned int max_type) {
61	0	unsigned char *start = map;
62	0	unsigned int window;
63	0	int octet;
64
65	0	if (raw == NULL) {
66	0	return 0;
67	0	}
68
69	0	for (window = 0; window < 256; window++) {
70	0	if (window * 256 > max_type) {
71	0	break;
72	0	}
73	0	for (octet = 31; octet >= 0; octet--) {
74	0	if (*(raw + octet) != 0) {
75	0	break;
76	0	}
77	0	}
78	0	if (octet < 0) {
79	0	raw += 32;
80	0	continue;
81	0	}
82	0	*map++ = window;
83	0	*map++ = octet + 1;
84		/*
85		* Note: potential overlapping move.
86		*/
87	0	memmove(map, raw, octet + 1);
88	0	map += octet + 1;
89	0	raw += 32;
90	0	}
91	0	return (unsigned int)(map - start);
92	0	}
93
94		isc_result_t
95		dns_nsec_buildrdata(dns_db_t db, dns_dbversion_t version, dns_dbnode_t *node,
96		const dns_name_t target, unsigned char buffer,
97	0	dns_rdata_t *rdata) {
98	0	isc_region_t r;
99	0	unsigned int i;
100	0	unsigned char nsec_bits, bm;
101	0	unsigned int max_type;
102	0	dns_rdatasetiter_t *rdsiter;
103
104	0	REQUIRE(target != NULL);
105
106	0	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
107	0	dns_name_toregion(target, &r);
108	0	memmove(buffer, r.base, r.length);
109	0	r.base = buffer;
110		/*
111		* Use the end of the space for a raw bitmap leaving enough
112		* space for the window identifiers and length octets.
113		*/
114	0	bm = r.base + r.length + 512;
115	0	nsec_bits = r.base + r.length;
116	0	dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
117	0	dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
118	0	max_type = dns_rdatatype_nsec;
119	0	rdsiter = NULL;
120	0	RETERR(dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter));
121	0	DNS_RDATASETITER_FOREACH(rdsiter) {
122	0	dns_rdataset_t rdataset = DNS_RDATASET_INIT;
123	0	dns_rdatasetiter_current(rdsiter, &rdataset);
124	0	if (!dns_rdatatype_isnsec(rdataset.type) &&
125	0	rdataset.type != dns_rdatatype_rrsig)
126	0	{
127	0	if (rdataset.type > max_type) {
128	0	max_type = rdataset.type;
129	0	}
130	0	dns_nsec_setbit(bm, rdataset.type, 1);
131	0	}
132	0	dns_rdataset_disassociate(&rdataset);
133	0	}
134	0	dns_rdatasetiter_destroy(&rdsiter);
135
136		/*
137		* At zone cuts, deny the existence of glue in the parent zone.
138		*/
139	0	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
140	0	!dns_nsec_isset(bm, dns_rdatatype_soa))
141	0	{
142	0	for (i = 0; i <= max_type; i++) {
143	0	if (dns_nsec_isset(bm, i) &&
144	0	!dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
145	0	{
146	0	dns_nsec_setbit(bm, i, 0);
147	0	}
148	0	}
149	0	}
150
151	0	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
152
153	0	r.length = (unsigned int)(nsec_bits - r.base);
154	0	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
155	0	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
156
157	0	return ISC_R_SUCCESS;
158	0	}
159
160		isc_result_t
161		dns_nsec_build(dns_db_t db, dns_dbversion_t version, dns_dbnode_t *node,
162	0	const dns_name_t *target, dns_ttl_t ttl) {
163	0	isc_result_t result;
164	0	dns_rdata_t rdata = DNS_RDATA_INIT;
165	0	unsigned char data[DNS_NSEC_BUFFERSIZE];
166	0	dns_rdatalist_t rdatalist;
167	0	dns_rdataset_t rdataset;
168
169	0	dns_rdataset_init(&rdataset);
170	0	dns_rdata_init(&rdata);
171
172	0	CHECK(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
173
174	0	dns_rdatalist_init(&rdatalist);
175	0	rdatalist.rdclass = dns_db_class(db);
176	0	rdatalist.type = dns_rdatatype_nsec;
177	0	rdatalist.ttl = ttl;
178	0	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
179	0	dns_rdatalist_tordataset(&rdatalist, &rdataset);
180	0	result = dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
181	0	if (result == DNS_R_UNCHANGED) {
182	0	result = ISC_R_SUCCESS;
183	0	}
184
185	0	cleanup:
186	0	dns_rdataset_cleanup(&rdataset);
187	0	return result;
188	0	}
189
190		bool
191	0	dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
192	0	dns_rdata_nsec_t nsecstruct;
193	0	isc_result_t result;
194	0	bool present;
195	0	unsigned int i, len, window;
196
197	0	REQUIRE(nsec != NULL);
198	0	REQUIRE(nsec->type == dns_rdatatype_nsec);
199
200		/* This should never fail */
201	0	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
202	0	INSIST(result == ISC_R_SUCCESS);
203
204	0	present = false;
205	0	for (i = 0; i < nsecstruct.len; i += len) {
206	0	INSIST(i + 2 <= nsecstruct.len);
207	0	window = nsecstruct.typebits[i];
208	0	len = nsecstruct.typebits[i + 1];
209	0	INSIST(len > 0 && len <= 32);
210	0	i += 2;
211	0	INSIST(i + len <= nsecstruct.len);
212	0	if (window * 256 > type) {
213	0	break;
214	0	}
215	0	if ((window + 1) * 256 <= type) {
216	0	continue;
217	0	}
218	0	if (type < (window * 256) + len * 8) {
219	0	present = dns_nsec_isset(&nsecstruct.typebits[i],
220	0	type % 256);
221	0	}
222	0	break;
223	0	}
224	0	dns_rdata_freestruct(&nsecstruct);
225	0	return present;
226	0	}
227
228		isc_result_t
229		dns_nsec_nseconly(dns_db_t db, dns_dbversion_t version, dns_diff_t *diff,
230	0	bool *answer) {
231	0	dns_dbnode_t *node = NULL;
232	0	dns_rdataset_t rdataset;
233	0	dns_rdata_dnskey_t dnskey;
234	0	isc_result_t result;
235
236	0	REQUIRE(answer != NULL);
237
238	0	dns_rdataset_init(&rdataset);
239
240	0	RETERR(dns_db_getoriginnode(db, &node));
241
242	0	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
243	0	0, &rdataset, NULL);
244	0	dns_db_detachnode(&node);
245
246	0	if (result == ISC_R_NOTFOUND) {
247	0	*answer = false;
248	0	}
249	0	if (result != ISC_R_SUCCESS) {
250	0	return result;
251	0	}
252	0	bool matched = false;
253	0	DNS_RDATASET_FOREACH(&rdataset) {
254	0	dns_rdata_t rdata = DNS_RDATA_INIT;
255
256	0	dns_rdataset_current(&rdataset, &rdata);
257	0	result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
258	0	RUNTIME_CHECK(result == ISC_R_SUCCESS);
259
260	0	if (dnskey.algorithm == DST_ALG_RSAMD5 \|\|
261	0	dnskey.algorithm == DST_ALG_DSA \|\|
262	0	dnskey.algorithm == DST_ALG_RSASHA1)
263	0	{
264	0	bool deleted = false;
265	0	if (diff != NULL) {
266	0	ISC_LIST_FOREACH(diff->tuples, tuple, link) {
267	0	if (tuple->rdata.type !=
268	0	dns_rdatatype_dnskey \|\|
269	0	tuple->op != DNS_DIFFOP_DEL)
270	0	{
271	0	continue;
272	0	}
273
274	0	if (dns_rdata_compare(
275	0	&rdata, &tuple->rdata) == 0)
276	0	{
277	0	deleted = true;
278	0	break;
279	0	}
280	0	}
281	0	}
282
283	0	if (!deleted) {
284	0	matched = true;
285	0	break;
286	0	}
287	0	}
288	0	}
289	0	dns_rdataset_disassociate(&rdataset);
290	0	*answer = matched;
291	0	return ISC_R_SUCCESS;
292	0	}
293
294		/*%
295		* Return ISC_R_SUCCESS if we can determine that the name doesn't exist
296		* or we can determine whether there is data or not at the name.
297		* If the name does not exist return the wildcard name.
298		*
299		* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
300		*/
301		isc_result_t
302		dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
303		const dns_name_t nsecname, dns_rdataset_t nsecset,
304		bool exists, bool data, dns_name_t *wild,
305	0	dns_nseclog_t logit, void *arg) {
306	0	int order;
307	0	dns_rdata_t rdata = DNS_RDATA_INIT;
308	0	isc_result_t result;
309	0	dns_namereln_t relation;
310	0	unsigned int olabels, nlabels, labels;
311	0	dns_rdata_nsec_t nsec;
312	0	bool atparent;
313	0	bool ns;
314	0	bool soa;
315
316	0	REQUIRE(exists != NULL);
317	0	REQUIRE(data != NULL);
318	0	REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec);
319
320	0	result = dns_rdataset_first(nsecset);
321	0	if (result != ISC_R_SUCCESS) {
322	0	(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
323	0	return result;
324	0	}
325	0	dns_rdataset_current(nsecset, &rdata);
326
327		#ifdef notyet
328		if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) \|\|
329		!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
330		{
331		(*logit)(arg, ISC_LOG_DEBUG(3),
332		"NSEC missing RRSIG and/or NSEC from type map");
333		return ISC_R_IGNORE;
334		}
335		#endif
336
337	0	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
338	0	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
339
340	0	if (order < 0) {
341		/*
342		* The name is not within the NSEC range.
343		*/
344	0	(*logit)(arg, ISC_LOG_DEBUG(3),
345	0	"NSEC does not cover name, before NSEC");
346	0	return ISC_R_IGNORE;
347	0	}
348
349	0	if (order == 0) {
350		/*
351		* The names are the same. If we are validating "."
352		* then atparent should not be set as there is no parent.
353		*/
354	0	atparent = (olabels != 1) && dns_rdatatype_atparent(type);
355	0	ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
356	0	soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
357	0	if (ns && !soa) {
358	0	if (!atparent) {
359		/*
360		* This NSEC record is from somewhere higher in
361		* the DNS, and at the parent of a delegation.
362		* It can not be legitimately used here.
363		*/
364	0	(*logit)(arg, ISC_LOG_DEBUG(3),
365	0	"ignoring parent nsec");
366	0	return ISC_R_IGNORE;
367	0	}
368	0	} else if (atparent && ns && soa) {
369		/*
370		* This NSEC record is from the child.
371		* It can not be legitimately used here.
372		*/
373	0	(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring child nsec");
374	0	return ISC_R_IGNORE;
375	0	}
376	0	if (type == dns_rdatatype_cname \|\| type == dns_rdatatype_nxt \|\|
377	0	type == dns_rdatatype_nsec \|\| type == dns_rdatatype_key \|\|
378	0	!dns_nsec_typepresent(&rdata, dns_rdatatype_cname))
379	0	{
380	0	*exists = true;
381	0	*data = dns_nsec_typepresent(&rdata, type);
382	0	(*logit)(arg, ISC_LOG_DEBUG(3),
383	0	"nsec proves name exists (owner) data=%d",
384	0	*data);
385	0	return ISC_R_SUCCESS;
386	0	}
387	0	(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
388	0	return ISC_R_IGNORE;
389	0	}
390
391	0	if (relation == dns_namereln_subdomain &&
392	0	dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
393	0	!dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
394	0	{
395		/*
396		* This NSEC record is from somewhere higher in
397		* the DNS, and at the parent of a delegation or
398		* at a DNAME.
399		* It can not be legitimately used here.
400		*/
401	0	(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
402	0	return ISC_R_IGNORE;
403	0	}
404
405	0	if (relation == dns_namereln_subdomain &&
406	0	dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
407	0	{
408	0	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec proves covered by dname");
409	0	*exists = false;
410	0	return DNS_R_DNAME;
411	0	}
412
413	0	RETERR(dns_rdata_tostruct(&rdata, &nsec, NULL));
414	0	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
415	0	if (order == 0) {
416	0	dns_rdata_freestruct(&nsec);
417	0	(*logit)(arg, ISC_LOG_DEBUG(3),
418	0	"ignoring nsec matches next name");
419	0	return ISC_R_IGNORE;
420	0	}
421
422	0	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
423		/*
424		* The name is not within the NSEC range.
425		*/
426	0	dns_rdata_freestruct(&nsec);
427	0	(*logit)(arg, ISC_LOG_DEBUG(3),
428	0	"ignoring nsec because name is past end of range");
429	0	return ISC_R_IGNORE;
430	0	}
431
432	0	if (order > 0 && relation == dns_namereln_subdomain) {
433	0	(*logit)(arg, ISC_LOG_DEBUG(3),
434	0	"nsec proves name exist (empty)");
435	0	dns_rdata_freestruct(&nsec);
436	0	*exists = true;
437	0	*data = false;
438	0	return ISC_R_SUCCESS;
439	0	}
440	0	if (wild != NULL) {
441	0	dns_name_t common;
442	0	dns_name_init(&common);
443	0	if (olabels > nlabels) {
444	0	labels = dns_name_countlabels(nsecname);
445	0	dns_name_getlabelsequence(nsecname, labels - olabels,
446	0	olabels, &common);
447	0	} else {
448	0	labels = dns_name_countlabels(&nsec.next);
449	0	dns_name_getlabelsequence(&nsec.next, labels - nlabels,
450	0	nlabels, &common);
451	0	}
452	0	result = dns_name_concatenate(dns_wildcardname, &common, wild);
453	0	if (result != ISC_R_SUCCESS) {
454	0	dns_rdata_freestruct(&nsec);
455	0	(*logit)(arg, ISC_LOG_DEBUG(3),
456	0	"failure generating wildcard name");
457	0	return result;
458	0	}
459	0	}
460	0	dns_rdata_freestruct(&nsec);
461	0	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
462	0	*exists = false;
463	0	return ISC_R_SUCCESS;
464	0	}
465
466		bool
467	0	dns_nsec_requiredtypespresent(dns_rdataset_t *nsecset) {
468	0	dns_rdataset_t rdataset = DNS_RDATASET_INIT;
469	0	bool found = false;
470
471	0	REQUIRE(DNS_RDATASET_VALID(nsecset));
472	0	REQUIRE(nsecset->type == dns_rdatatype_nsec);
473
474	0	dns_rdataset_clone(nsecset, &rdataset);
475
476	0	DNS_RDATASET_FOREACH(&rdataset) {
477	0	dns_rdata_t rdata = DNS_RDATA_INIT;
478	0	dns_rdataset_current(&rdataset, &rdata);
479	0	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec) \|\|
480	0	!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig))
481	0	{
482	0	dns_rdataset_disassociate(&rdataset);
483	0	return false;
484	0	}
485	0	found = true;
486	0	}
487	0	dns_rdataset_disassociate(&rdataset);
488	0	return found;
489	0	}