/src/bind9/lib/dns/nsec.c

Source
/*
 * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 *
 * SPDX-License-Identifier: MPL-2.0
 *
 * This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, you can obtain one at https://mozilla.org/MPL/2.0/.
 *
 * See the COPYRIGHT file distributed with this work for additional
 * information regarding copyright ownership.
 */

/*! \file */

#include <stdbool.h>

#include <isc/log.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/util.h>

#include <dns/db.h>
#include <dns/nsec.h>
#include <dns/rdata.h>
#include <dns/rdatalist.h>
#include <dns/rdataset.h>
#include <dns/rdatasetiter.h>
#include <dns/rdatastruct.h>

#include <dst/dst.h>

void
dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
  unsigned int shift, mask;

  shift = 7 - (type % 8);
  mask = 1 << shift;

  if (bit != 0) {
    array[type / 8] |= mask;
  } else {
    array[type / 8] &= (~mask & 0xFF);
  }
}

bool
dns_nsec_isset(const unsigned char *array, unsigned int type) {
  unsigned int byte, shift, mask;

  byte = array[type / 8];
  shift = 7 - (type % 8);
  mask = 1 << shift;

  return (byte & mask) != 0;
}

unsigned int
dns_nsec_compressbitmap(unsigned char *map, const unsigned char *raw,
      unsigned int max_type) {
  unsigned char *start = map;
  unsigned int window;
  int octet;

  if (raw == NULL) {
    return 0;
  }

  for (window = 0; window < 256; window++) {
    if (window * 256 > max_type) {
      break;
    }
    for (octet = 31; octet >= 0; octet--) {
      if (*(raw + octet) != 0) {
        break;
      }
    }
    if (octet < 0) {
      raw += 32;
      continue;
    }
    *map++ = window;
    *map++ = octet + 1;
    /*
     * Note: potential overlapping move.
     */
    memmove(map, raw, octet + 1);
    map += octet + 1;
    raw += 32;
  }
  return (unsigned int)(map - start);
}

isc_result_t
dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
        const dns_name_t *target, unsigned char *buffer,
        dns_rdata_t *rdata) {
  isc_region_t r;
  unsigned int i;
  unsigned char *nsec_bits, *bm;
  unsigned int max_type;
  dns_rdatasetiter_t *rdsiter;
  dns_fixedname_t fnextname;
  dns_name_t *nextname;

  REQUIRE(target != NULL);

  /*
   * Downcase next owner name.
   */
  nextname = dns_fixedname_initname(&fnextname);
  RUNTIME_CHECK(dns_name_downcase(target, nextname) == ISC_R_SUCCESS);
  memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
  dns_name_toregion(nextname, &r);
  memmove(buffer, r.base, r.length);
  r.base = buffer;
  /*
   * Use the end of the space for a raw bitmap leaving enough
   * space for the window identifiers and length octets.
   */
  bm = r.base + r.length + 512;
  nsec_bits = r.base + r.length;
  dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
  dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
  max_type = dns_rdatatype_nsec;
  rdsiter = NULL;
  RETERR(dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter));
  DNS_RDATASETITER_FOREACH(rdsiter) {
    dns_rdataset_t rdataset = DNS_RDATASET_INIT;
    dns_rdatasetiter_current(rdsiter, &rdataset);
    if (!dns_rdatatype_isnsec(rdataset.type) &&
        rdataset.type != dns_rdatatype_rrsig)
    {
      if (rdataset.type > max_type) {
        max_type = rdataset.type;
      }
      dns_nsec_setbit(bm, rdataset.type, 1);
    }
    dns_rdataset_disassociate(&rdataset);
  }
  dns_rdatasetiter_destroy(&rdsiter);

  /*
   * At zone cuts, deny the existence of glue in the parent zone.
   */
  if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
      !dns_nsec_isset(bm, dns_rdatatype_soa))
  {
    for (i = 0; i <= max_type; i++) {
      if (dns_nsec_isset(bm, i) &&
          !dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
      {
        dns_nsec_setbit(bm, i, 0);
      }
    }
  }

  nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);

  r.length = (unsigned int)(nsec_bits - r.base);
  INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
  dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec, &r);

  return ISC_R_SUCCESS;
}

isc_result_t
dns_nsec_build(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node,
         const dns_name_t *target, dns_ttl_t ttl) {
  isc_result_t result;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  unsigned char data[DNS_NSEC_BUFFERSIZE];
  dns_rdatalist_t rdatalist;
  dns_rdataset_t rdataset;

  dns_rdataset_init(&rdataset);
  dns_rdata_init(&rdata);

  CHECK(dns_nsec_buildrdata(db, version, node, target, data, &rdata));

  dns_rdatalist_init(&rdatalist);
  rdatalist.rdclass = dns_db_class(db);
  rdatalist.type = dns_rdatatype_nsec;
  rdatalist.ttl = ttl;
  ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
  dns_rdatalist_tordataset(&rdatalist, &rdataset);
  result = dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
  if (result == DNS_R_UNCHANGED) {
    result = ISC_R_SUCCESS;
  }

cleanup:
  dns_rdataset_cleanup(&rdataset);
  return result;
}

bool
dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
  dns_rdata_nsec_t nsecstruct;
  isc_result_t result;
  bool present;
  unsigned int i, len, window;

  REQUIRE(nsec != NULL);
  REQUIRE(nsec->type == dns_rdatatype_nsec);

  /* This should never fail */
  result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
  INSIST(result == ISC_R_SUCCESS);

  present = false;
  for (i = 0; i < nsecstruct.len; i += len) {
    INSIST(i + 2 <= nsecstruct.len);
    window = nsecstruct.typebits[i];
    len = nsecstruct.typebits[i + 1];
    INSIST(len > 0 && len <= 32);
    i += 2;
    INSIST(i + len <= nsecstruct.len);
    if (window * 256 > type) {
      break;
    }
    if ((window + 1) * 256 <= type) {
      continue;
    }
    if (type < (window * 256) + len * 8) {
      present = dns_nsec_isset(&nsecstruct.typebits[i],
             type % 256);
    }
    break;
  }
  dns_rdata_freestruct(&nsecstruct);
  return present;
}

isc_result_t
dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version, dns_diff_t *diff,
      bool *answer) {
  dns_dbnode_t *node = NULL;
  dns_rdataset_t rdataset;
  dns_rdata_dnskey_t dnskey;
  isc_result_t result;

  REQUIRE(answer != NULL);

  dns_rdataset_init(&rdataset);

  RETERR(dns_db_getoriginnode(db, &node));

  result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
             0, &rdataset, NULL);
  dns_db_detachnode(&node);

  if (result == ISC_R_NOTFOUND) {
    *answer = false;
  }
  if (result != ISC_R_SUCCESS) {
    return result;
  }
  bool matched = false;
  DNS_RDATASET_FOREACH(&rdataset) {
    dns_rdata_t rdata = DNS_RDATA_INIT;

    dns_rdataset_current(&rdataset, &rdata);
    result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
    RUNTIME_CHECK(result == ISC_R_SUCCESS);

    if (dnskey.algorithm == DST_ALG_RSAMD5 ||
        dnskey.algorithm == DST_ALG_DSA ||
        dnskey.algorithm == DST_ALG_RSASHA1)
    {
      bool deleted = false;
      if (diff != NULL) {
        ISC_LIST_FOREACH(diff->tuples, tuple, link) {
          if (tuple->rdata.type !=
                dns_rdatatype_dnskey ||
              tuple->op != DNS_DIFFOP_DEL)
          {
            continue;
          }

          if (dns_rdata_compare(
                &rdata, &tuple->rdata) == 0)
          {
            deleted = true;
            break;
          }
        }
      }

      if (!deleted) {
        matched = true;
        break;
      }
    }
  }
  dns_rdataset_disassociate(&rdataset);
  *answer = matched;
  return ISC_R_SUCCESS;
}

/*%
 * Return ISC_R_SUCCESS if we can determine that the name doesn't exist
 * or we can determine whether there is data or not at the name.
 * If the name does not exist return the wildcard name.
 *
 * Return ISC_R_IGNORE when the NSEC is not the appropriate one.
 */
isc_result_t
dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
           const dns_name_t *nsecname, dns_rdataset_t *nsecset,
           bool *exists, bool *data, dns_name_t *wild,
           dns_nseclog_t logit, void *arg) {
  int order;
  dns_rdata_t rdata = DNS_RDATA_INIT;
  isc_result_t result;
  dns_namereln_t relation;
  unsigned int olabels, nlabels, labels;
  dns_rdata_nsec_t nsec;
  bool atparent;
  bool ns;
  bool soa;

  REQUIRE(exists != NULL);
  REQUIRE(data != NULL);
  REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec);

  result = dns_rdataset_first(nsecset);
  if (result != ISC_R_SUCCESS) {
    (*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
    return result;
  }
  dns_rdataset_current(nsecset, &rdata);

#ifdef notyet
  if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) ||
      !dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
  {
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "NSEC missing RRSIG and/or NSEC from type map");
    return ISC_R_IGNORE;
  }
#endif

  (*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
  relation = dns_name_fullcompare(name, nsecname, &order, &olabels);

  if (order < 0) {
    /*
     * The name is not within the NSEC range.
     */
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "NSEC does not cover name, before NSEC");
    return ISC_R_IGNORE;
  }

  if (order == 0) {
    /*
     * The names are the same.   If we are validating "."
     * then atparent should not be set as there is no parent.
     */
    atparent = (olabels != 1) && dns_rdatatype_atparent(type);
    ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
    soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
    if (ns && !soa) {
      if (!atparent) {
        /*
         * This NSEC record is from somewhere higher in
         * the DNS, and at the parent of a delegation.
         * It can not be legitimately used here.
         */
        (*logit)(arg, ISC_LOG_DEBUG(3),
           "ignoring parent nsec");
        return ISC_R_IGNORE;
      }
    } else if (atparent && ns && soa) {
      /*
       * This NSEC record is from the child.
       * It can not be legitimately used here.
       */
      (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring child nsec");
      return ISC_R_IGNORE;
    }
    if (type == dns_rdatatype_cname || type == dns_rdatatype_nsec ||
        !dns_nsec_typepresent(&rdata, dns_rdatatype_cname))
    {
      *exists = true;
      *data = dns_nsec_typepresent(&rdata, type);
      (*logit)(arg, ISC_LOG_DEBUG(3),
         "nsec proves name exists (owner) data=%d",
         *data);
      return ISC_R_SUCCESS;
    }
    (*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
    return ISC_R_IGNORE;
  }

  if (relation == dns_namereln_subdomain &&
      dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
      !dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
  {
    /*
     * This NSEC record is from somewhere higher in
     * the DNS, and at the parent of a delegation or
     * at a DNAME.
     * It can not be legitimately used here.
     */
    (*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
    return ISC_R_IGNORE;
  }

  if (relation == dns_namereln_subdomain &&
      dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
  {
    (*logit)(arg, ISC_LOG_DEBUG(3), "nsec proves covered by dname");
    *exists = false;
    return DNS_R_DNAME;
  }

  RETERR(dns_rdata_tostruct(&rdata, &nsec, NULL));
  relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
  if (order == 0) {
    dns_rdata_freestruct(&nsec);
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "ignoring nsec matches next name");
    return ISC_R_IGNORE;
  }

  if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
    /*
     * The name is not within the NSEC range.
     */
    dns_rdata_freestruct(&nsec);
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "ignoring nsec because name is past end of range");
    return ISC_R_IGNORE;
  }

  if (order > 0 && relation == dns_namereln_subdomain) {
    (*logit)(arg, ISC_LOG_DEBUG(3),
       "nsec proves name exist (empty)");
    dns_rdata_freestruct(&nsec);
    *exists = true;
    *data = false;
    return ISC_R_SUCCESS;
  }
  if (wild != NULL) {
    dns_name_t common;
    dns_name_init(&common);
    if (olabels > nlabels) {
      labels = dns_name_countlabels(nsecname);
      dns_name_getlabelsequence(nsecname, labels - olabels,
              olabels, &common);
    } else {
      labels = dns_name_countlabels(&nsec.next);
      dns_name_getlabelsequence(&nsec.next, labels - nlabels,
              nlabels, &common);
    }
    result = dns_name_concatenate(dns_wildcardname, &common, wild);
    if (result != ISC_R_SUCCESS) {
      dns_rdata_freestruct(&nsec);
      (*logit)(arg, ISC_LOG_DEBUG(3),
         "failure generating wildcard name");
      return result;
    }
  }
  dns_rdata_freestruct(&nsec);
  (*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
  *exists = false;
  return ISC_R_SUCCESS;
}

bool
dns_nsec_requiredtypespresent(dns_rdataset_t *nsecset) {
  dns_rdataset_t rdataset = DNS_RDATASET_INIT;
  bool found = false;

  REQUIRE(DNS_RDATASET_VALID(nsecset));
  REQUIRE(nsecset->type == dns_rdatatype_nsec);

  dns_rdataset_clone(nsecset, &rdataset);

  DNS_RDATASET_FOREACH(&rdataset) {
    dns_rdata_t rdata = DNS_RDATA_INIT;
    dns_rdataset_current(&rdataset, &rdata);
    if (!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec) ||
        !dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig))
    {
      dns_rdataset_disassociate(&rdataset);
      return false;
    }
    found = true;
  }
  dns_rdataset_disassociate(&rdataset);
  return found;
}

Coverage Report

Created: 2026-06-15 06:56

Line	Count	Source
1		/*
2		* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3		*
4		* SPDX-License-Identifier: MPL-2.0
5		*
6		* This Source Code Form is subject to the terms of the Mozilla Public
7		* License, v. 2.0. If a copy of the MPL was not distributed with this
8		* file, you can obtain one at https://mozilla.org/MPL/2.0/.
9		*
10		* See the COPYRIGHT file distributed with this work for additional
11		* information regarding copyright ownership.
12		*/
13
14		/! \file /
15
16		#include <stdbool.h>
17
18		#include <isc/log.h>
19		#include <isc/result.h>
20		#include <isc/string.h>
21		#include <isc/util.h>
22
23		#include <dns/db.h>
24		#include <dns/nsec.h>
25		#include <dns/rdata.h>
26		#include <dns/rdatalist.h>
27		#include <dns/rdataset.h>
28		#include <dns/rdatasetiter.h>
29		#include <dns/rdatastruct.h>
30
31		#include <dst/dst.h>
32
33		void
34	0	dns_nsec_setbit(unsigned char *array, unsigned int type, unsigned int bit) {
35	0	unsigned int shift, mask;
36
37	0	shift = 7 - (type % 8);
38	0	mask = 1 << shift;
39
40	0	if (bit != 0) {
41	0	array[type / 8] \|= mask;
42	0	} else {
43	0	array[type / 8] &= (~mask & 0xFF);
44	0	}
45	0	}
46
47		bool
48	0	dns_nsec_isset(const unsigned char *array, unsigned int type) {
49	0	unsigned int byte, shift, mask;
50
51	0	byte = array[type / 8];
52	0	shift = 7 - (type % 8);
53	0	mask = 1 << shift;
54
55	0	return (byte & mask) != 0;
56	0	}
57
58		unsigned int
59		dns_nsec_compressbitmap(unsigned char map, const unsigned char raw,
60	0	unsigned int max_type) {
61	0	unsigned char *start = map;
62	0	unsigned int window;
63	0	int octet;
64
65	0	if (raw == NULL) {
66	0	return 0;
67	0	}
68
69	0	for (window = 0; window < 256; window++) {
70	0	if (window * 256 > max_type) {
71	0	break;
72	0	}
73	0	for (octet = 31; octet >= 0; octet--) {
74	0	if (*(raw + octet) != 0) {
75	0	break;
76	0	}
77	0	}
78	0	if (octet < 0) {
79	0	raw += 32;
80	0	continue;
81	0	}
82	0	*map++ = window;
83	0	*map++ = octet + 1;
84		/*
85		* Note: potential overlapping move.
86		*/
87	0	memmove(map, raw, octet + 1);
88	0	map += octet + 1;
89	0	raw += 32;
90	0	}
91	0	return (unsigned int)(map - start);
92	0	}
93
94		isc_result_t
95		dns_nsec_buildrdata(dns_db_t db, dns_dbversion_t version, dns_dbnode_t *node,
96		const dns_name_t target, unsigned char buffer,
97	0	dns_rdata_t *rdata) {
98	0	isc_region_t r;
99	0	unsigned int i;
100	0	unsigned char nsec_bits, bm;
101	0	unsigned int max_type;
102	0	dns_rdatasetiter_t *rdsiter;
103	0	dns_fixedname_t fnextname;
104	0	dns_name_t *nextname;
105
106	0	REQUIRE(target != NULL);
107
108		/*
109		* Downcase next owner name.
110		*/
111	0	nextname = dns_fixedname_initname(&fnextname);
112	0	RUNTIME_CHECK(dns_name_downcase(target, nextname) == ISC_R_SUCCESS);
113	0	memset(buffer, 0, DNS_NSEC_BUFFERSIZE);
114	0	dns_name_toregion(nextname, &r);
115	0	memmove(buffer, r.base, r.length);
116	0	r.base = buffer;
117		/*
118		* Use the end of the space for a raw bitmap leaving enough
119		* space for the window identifiers and length octets.
120		*/
121	0	bm = r.base + r.length + 512;
122	0	nsec_bits = r.base + r.length;
123	0	dns_nsec_setbit(bm, dns_rdatatype_rrsig, 1);
124	0	dns_nsec_setbit(bm, dns_rdatatype_nsec, 1);
125	0	max_type = dns_rdatatype_nsec;
126	0	rdsiter = NULL;
127	0	RETERR(dns_db_allrdatasets(db, node, version, 0, 0, &rdsiter));
128	0	DNS_RDATASETITER_FOREACH(rdsiter) {
129	0	dns_rdataset_t rdataset = DNS_RDATASET_INIT;
130	0	dns_rdatasetiter_current(rdsiter, &rdataset);
131	0	if (!dns_rdatatype_isnsec(rdataset.type) &&
132	0	rdataset.type != dns_rdatatype_rrsig)
133	0	{
134	0	if (rdataset.type > max_type) {
135	0	max_type = rdataset.type;
136	0	}
137	0	dns_nsec_setbit(bm, rdataset.type, 1);
138	0	}
139	0	dns_rdataset_disassociate(&rdataset);
140	0	}
141	0	dns_rdatasetiter_destroy(&rdsiter);
142
143		/*
144		* At zone cuts, deny the existence of glue in the parent zone.
145		*/
146	0	if (dns_nsec_isset(bm, dns_rdatatype_ns) &&
147	0	!dns_nsec_isset(bm, dns_rdatatype_soa))
148	0	{
149	0	for (i = 0; i <= max_type; i++) {
150	0	if (dns_nsec_isset(bm, i) &&
151	0	!dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
152	0	{
153	0	dns_nsec_setbit(bm, i, 0);
154	0	}
155	0	}
156	0	}
157
158	0	nsec_bits += dns_nsec_compressbitmap(nsec_bits, bm, max_type);
159
160	0	r.length = (unsigned int)(nsec_bits - r.base);
161	0	INSIST(r.length <= DNS_NSEC_BUFFERSIZE);
162	0	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec, &r);
163
164	0	return ISC_R_SUCCESS;
165	0	}
166
167		isc_result_t
168		dns_nsec_build(dns_db_t db, dns_dbversion_t version, dns_dbnode_t *node,
169	0	const dns_name_t *target, dns_ttl_t ttl) {
170	0	isc_result_t result;
171	0	dns_rdata_t rdata = DNS_RDATA_INIT;
172	0	unsigned char data[DNS_NSEC_BUFFERSIZE];
173	0	dns_rdatalist_t rdatalist;
174	0	dns_rdataset_t rdataset;
175
176	0	dns_rdataset_init(&rdataset);
177	0	dns_rdata_init(&rdata);
178
179	0	CHECK(dns_nsec_buildrdata(db, version, node, target, data, &rdata));
180
181	0	dns_rdatalist_init(&rdatalist);
182	0	rdatalist.rdclass = dns_db_class(db);
183	0	rdatalist.type = dns_rdatatype_nsec;
184	0	rdatalist.ttl = ttl;
185	0	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
186	0	dns_rdatalist_tordataset(&rdatalist, &rdataset);
187	0	result = dns_db_addrdataset(db, node, version, 0, &rdataset, 0, NULL);
188	0	if (result == DNS_R_UNCHANGED) {
189	0	result = ISC_R_SUCCESS;
190	0	}
191
192	0	cleanup:
193	0	dns_rdataset_cleanup(&rdataset);
194	0	return result;
195	0	}
196
197		bool
198	0	dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
199	0	dns_rdata_nsec_t nsecstruct;
200	0	isc_result_t result;
201	0	bool present;
202	0	unsigned int i, len, window;
203
204	0	REQUIRE(nsec != NULL);
205	0	REQUIRE(nsec->type == dns_rdatatype_nsec);
206
207		/* This should never fail */
208	0	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
209	0	INSIST(result == ISC_R_SUCCESS);
210
211	0	present = false;
212	0	for (i = 0; i < nsecstruct.len; i += len) {
213	0	INSIST(i + 2 <= nsecstruct.len);
214	0	window = nsecstruct.typebits[i];
215	0	len = nsecstruct.typebits[i + 1];
216	0	INSIST(len > 0 && len <= 32);
217	0	i += 2;
218	0	INSIST(i + len <= nsecstruct.len);
219	0	if (window * 256 > type) {
220	0	break;
221	0	}
222	0	if ((window + 1) * 256 <= type) {
223	0	continue;
224	0	}
225	0	if (type < (window * 256) + len * 8) {
226	0	present = dns_nsec_isset(&nsecstruct.typebits[i],
227	0	type % 256);
228	0	}
229	0	break;
230	0	}
231	0	dns_rdata_freestruct(&nsecstruct);
232	0	return present;
233	0	}
234
235		isc_result_t
236		dns_nsec_nseconly(dns_db_t db, dns_dbversion_t version, dns_diff_t *diff,
237	0	bool *answer) {
238	0	dns_dbnode_t *node = NULL;
239	0	dns_rdataset_t rdataset;
240	0	dns_rdata_dnskey_t dnskey;
241	0	isc_result_t result;
242
243	0	REQUIRE(answer != NULL);
244
245	0	dns_rdataset_init(&rdataset);
246
247	0	RETERR(dns_db_getoriginnode(db, &node));
248
249	0	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey, 0,
250	0	0, &rdataset, NULL);
251	0	dns_db_detachnode(&node);
252
253	0	if (result == ISC_R_NOTFOUND) {
254	0	*answer = false;
255	0	}
256	0	if (result != ISC_R_SUCCESS) {
257	0	return result;
258	0	}
259	0	bool matched = false;
260	0	DNS_RDATASET_FOREACH(&rdataset) {
261	0	dns_rdata_t rdata = DNS_RDATA_INIT;
262
263	0	dns_rdataset_current(&rdataset, &rdata);
264	0	result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
265	0	RUNTIME_CHECK(result == ISC_R_SUCCESS);
266
267	0	if (dnskey.algorithm == DST_ALG_RSAMD5 \|\|
268	0	dnskey.algorithm == DST_ALG_DSA \|\|
269	0	dnskey.algorithm == DST_ALG_RSASHA1)
270	0	{
271	0	bool deleted = false;
272	0	if (diff != NULL) {
273	0	ISC_LIST_FOREACH(diff->tuples, tuple, link) {
274	0	if (tuple->rdata.type !=
275	0	dns_rdatatype_dnskey \|\|
276	0	tuple->op != DNS_DIFFOP_DEL)
277	0	{
278	0	continue;
279	0	}
280
281	0	if (dns_rdata_compare(
282	0	&rdata, &tuple->rdata) == 0)
283	0	{
284	0	deleted = true;
285	0	break;
286	0	}
287	0	}
288	0	}
289
290	0	if (!deleted) {
291	0	matched = true;
292	0	break;
293	0	}
294	0	}
295	0	}
296	0	dns_rdataset_disassociate(&rdataset);
297	0	*answer = matched;
298	0	return ISC_R_SUCCESS;
299	0	}
300
301		/*%
302		* Return ISC_R_SUCCESS if we can determine that the name doesn't exist
303		* or we can determine whether there is data or not at the name.
304		* If the name does not exist return the wildcard name.
305		*
306		* Return ISC_R_IGNORE when the NSEC is not the appropriate one.
307		*/
308		isc_result_t
309		dns_nsec_noexistnodata(dns_rdatatype_t type, const dns_name_t *name,
310		const dns_name_t nsecname, dns_rdataset_t nsecset,
311		bool exists, bool data, dns_name_t *wild,
312	0	dns_nseclog_t logit, void *arg) {
313	0	int order;
314	0	dns_rdata_t rdata = DNS_RDATA_INIT;
315	0	isc_result_t result;
316	0	dns_namereln_t relation;
317	0	unsigned int olabels, nlabels, labels;
318	0	dns_rdata_nsec_t nsec;
319	0	bool atparent;
320	0	bool ns;
321	0	bool soa;
322
323	0	REQUIRE(exists != NULL);
324	0	REQUIRE(data != NULL);
325	0	REQUIRE(nsecset != NULL && nsecset->type == dns_rdatatype_nsec);
326
327	0	result = dns_rdataset_first(nsecset);
328	0	if (result != ISC_R_SUCCESS) {
329	0	(*logit)(arg, ISC_LOG_DEBUG(3), "failure processing NSEC set");
330	0	return result;
331	0	}
332	0	dns_rdataset_current(nsecset, &rdata);
333
334		#ifdef notyet
335		if (!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig) \|\|
336		!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec))
337		{
338		(*logit)(arg, ISC_LOG_DEBUG(3),
339		"NSEC missing RRSIG and/or NSEC from type map");
340		return ISC_R_IGNORE;
341		}
342		#endif
343
344	0	(*logit)(arg, ISC_LOG_DEBUG(3), "looking for relevant NSEC");
345	0	relation = dns_name_fullcompare(name, nsecname, &order, &olabels);
346
347	0	if (order < 0) {
348		/*
349		* The name is not within the NSEC range.
350		*/
351	0	(*logit)(arg, ISC_LOG_DEBUG(3),
352	0	"NSEC does not cover name, before NSEC");
353	0	return ISC_R_IGNORE;
354	0	}
355
356	0	if (order == 0) {
357		/*
358		* The names are the same. If we are validating "."
359		* then atparent should not be set as there is no parent.
360		*/
361	0	atparent = (olabels != 1) && dns_rdatatype_atparent(type);
362	0	ns = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
363	0	soa = dns_nsec_typepresent(&rdata, dns_rdatatype_soa);
364	0	if (ns && !soa) {
365	0	if (!atparent) {
366		/*
367		* This NSEC record is from somewhere higher in
368		* the DNS, and at the parent of a delegation.
369		* It can not be legitimately used here.
370		*/
371	0	(*logit)(arg, ISC_LOG_DEBUG(3),
372	0	"ignoring parent nsec");
373	0	return ISC_R_IGNORE;
374	0	}
375	0	} else if (atparent && ns && soa) {
376		/*
377		* This NSEC record is from the child.
378		* It can not be legitimately used here.
379		*/
380	0	(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring child nsec");
381	0	return ISC_R_IGNORE;
382	0	}
383	0	if (type == dns_rdatatype_cname \|\| type == dns_rdatatype_nsec \|\|
384	0	!dns_nsec_typepresent(&rdata, dns_rdatatype_cname))
385	0	{
386	0	*exists = true;
387	0	*data = dns_nsec_typepresent(&rdata, type);
388	0	(*logit)(arg, ISC_LOG_DEBUG(3),
389	0	"nsec proves name exists (owner) data=%d",
390	0	*data);
391	0	return ISC_R_SUCCESS;
392	0	}
393	0	(*logit)(arg, ISC_LOG_DEBUG(3), "NSEC proves CNAME exists");
394	0	return ISC_R_IGNORE;
395	0	}
396
397	0	if (relation == dns_namereln_subdomain &&
398	0	dns_nsec_typepresent(&rdata, dns_rdatatype_ns) &&
399	0	!dns_nsec_typepresent(&rdata, dns_rdatatype_soa))
400	0	{
401		/*
402		* This NSEC record is from somewhere higher in
403		* the DNS, and at the parent of a delegation or
404		* at a DNAME.
405		* It can not be legitimately used here.
406		*/
407	0	(*logit)(arg, ISC_LOG_DEBUG(3), "ignoring parent nsec");
408	0	return ISC_R_IGNORE;
409	0	}
410
411	0	if (relation == dns_namereln_subdomain &&
412	0	dns_nsec_typepresent(&rdata, dns_rdatatype_dname))
413	0	{
414	0	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec proves covered by dname");
415	0	*exists = false;
416	0	return DNS_R_DNAME;
417	0	}
418
419	0	RETERR(dns_rdata_tostruct(&rdata, &nsec, NULL));
420	0	relation = dns_name_fullcompare(&nsec.next, name, &order, &nlabels);
421	0	if (order == 0) {
422	0	dns_rdata_freestruct(&nsec);
423	0	(*logit)(arg, ISC_LOG_DEBUG(3),
424	0	"ignoring nsec matches next name");
425	0	return ISC_R_IGNORE;
426	0	}
427
428	0	if (order < 0 && !dns_name_issubdomain(nsecname, &nsec.next)) {
429		/*
430		* The name is not within the NSEC range.
431		*/
432	0	dns_rdata_freestruct(&nsec);
433	0	(*logit)(arg, ISC_LOG_DEBUG(3),
434	0	"ignoring nsec because name is past end of range");
435	0	return ISC_R_IGNORE;
436	0	}
437
438	0	if (order > 0 && relation == dns_namereln_subdomain) {
439	0	(*logit)(arg, ISC_LOG_DEBUG(3),
440	0	"nsec proves name exist (empty)");
441	0	dns_rdata_freestruct(&nsec);
442	0	*exists = true;
443	0	*data = false;
444	0	return ISC_R_SUCCESS;
445	0	}
446	0	if (wild != NULL) {
447	0	dns_name_t common;
448	0	dns_name_init(&common);
449	0	if (olabels > nlabels) {
450	0	labels = dns_name_countlabels(nsecname);
451	0	dns_name_getlabelsequence(nsecname, labels - olabels,
452	0	olabels, &common);
453	0	} else {
454	0	labels = dns_name_countlabels(&nsec.next);
455	0	dns_name_getlabelsequence(&nsec.next, labels - nlabels,
456	0	nlabels, &common);
457	0	}
458	0	result = dns_name_concatenate(dns_wildcardname, &common, wild);
459	0	if (result != ISC_R_SUCCESS) {
460	0	dns_rdata_freestruct(&nsec);
461	0	(*logit)(arg, ISC_LOG_DEBUG(3),
462	0	"failure generating wildcard name");
463	0	return result;
464	0	}
465	0	}
466	0	dns_rdata_freestruct(&nsec);
467	0	(*logit)(arg, ISC_LOG_DEBUG(3), "nsec range ok");
468	0	*exists = false;
469	0	return ISC_R_SUCCESS;
470	0	}
471
472		bool
473	0	dns_nsec_requiredtypespresent(dns_rdataset_t *nsecset) {
474	0	dns_rdataset_t rdataset = DNS_RDATASET_INIT;
475	0	bool found = false;
476
477	0	REQUIRE(DNS_RDATASET_VALID(nsecset));
478	0	REQUIRE(nsecset->type == dns_rdatatype_nsec);
479
480	0	dns_rdataset_clone(nsecset, &rdataset);
481
482	0	DNS_RDATASET_FOREACH(&rdataset) {
483	0	dns_rdata_t rdata = DNS_RDATA_INIT;
484	0	dns_rdataset_current(&rdataset, &rdata);
485	0	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_nsec) \|\|
486	0	!dns_nsec_typepresent(&rdata, dns_rdatatype_rrsig))
487	0	{
488	0	dns_rdataset_disassociate(&rdataset);
489	0	return false;
490	0	}
491	0	found = true;
492	0	}
493	0	dns_rdataset_disassociate(&rdataset);
494	0	return found;
495	0	}