PNG  IHDR* pHYs+ IDATx]n#; cdLb Ǚ[at¤_:uP}>!Usă cag޿ ֵNu`ݼTâabO7uL&y^wFٝA"l[|ŲHLN밪4*sG3|Dv}?+y߉{OuOAt4Jj.u]Gz*҉sP'VQKbA1u\`& Af;HWj hsO;ogTu uj7S3/QzUr&wS`M$X_L7r2;aE+ώ%vikDA:dR+%KzƉo>eOth$z%: :{WwaQ:wz%4foɹE[9<]#ERINƻv溂E%P1i01 |Jvҗ&{b?9g=^wζXn/lK::90KwrюO\!ջ3uzuGv^;騢wq<Iatv09:tt~hEG`v;3@MNZD.1]L:{ծI3`L(÷ba")Y.iljCɄae#I"1 `3*Bdz>j<fU40⨬%O$3cGt]j%Fߠ_twJ;ABU8vP3uEԑwQ V:h%))LfraqX-ۿX]v-\9I gl8tzX ]ecm)-cgʒ#Uw=Wlێn(0hPP/ӨtQ“&J35 $=]r1{tLuǮ*i0_;NƝ8;-vݏr8+U-kruȕYr0RnC]*ެ(M:]gE;{]tg(#ZJ9y>utRDRMdr9㪩̞zֹb<ģ&wzJM"iI( .ꮅX)Qw:9,i좜\Ԛi7&N0:asϓc];=ΗOӣ APqz93 y $)A*kVHZwBƺnWNaby>XMN*45~ղM6Nvm;A=jֲ.~1}(9`KJ/V F9[=`~[;sRuk]rєT!)iQO)Y$V ی ۤmzWz5IM Zb )ˆC`6 rRa}qNmUfDsWuˤV{ Pݝ'=Kֳbg,UҘVz2ﴻnjNgBb{? ߮tcsͻQuxVCIY۠:(V뺕 ٥2;t`@Fo{Z9`;]wMzU~%UA蛚dI vGq\r82iu +St`cR.6U/M9IENDB`/* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, you can obtain one at https://mozilla.org/MPL/2.0/. * * See the COPYRIGHT file distributed with this work for additional * information regarding copyright ownership. */ #ifndef DNS_SSU_H #define DNS_SSU_H 1 /*! \file dns/ssu.h */ #include #include #include #include #include ISC_LANG_BEGINDECLS typedef enum { dns_ssumatchtype_name = 0, dns_ssumatchtype_subdomain = 1, dns_ssumatchtype_wildcard = 2, dns_ssumatchtype_self = 3, dns_ssumatchtype_selfsub = 4, dns_ssumatchtype_selfwild = 5, dns_ssumatchtype_selfkrb5 = 6, dns_ssumatchtype_selfms = 7, dns_ssumatchtype_subdomainms = 8, dns_ssumatchtype_subdomainkrb5 = 9, dns_ssumatchtype_tcpself = 10, dns_ssumatchtype_6to4self = 11, dns_ssumatchtype_external = 12, dns_ssumatchtype_local = 13, dns_ssumatchtype_selfsubms = 14, dns_ssumatchtype_selfsubkrb5 = 15, dns_ssumatchtype_max = 15, /* max value */ dns_ssumatchtype_dlz = 16 /* intentionally higher than _max */ } dns_ssumatchtype_t; #define DNS_SSUMATCHTYPE_NAME dns_ssumatchtype_name #define DNS_SSUMATCHTYPE_SUBDOMAIN dns_ssumatchtype_subdomain #define DNS_SSUMATCHTYPE_WILDCARD dns_ssumatchtype_wildcard #define DNS_SSUMATCHTYPE_SELF dns_ssumatchtype_self #define DNS_SSUMATCHTYPE_SELFSUB dns_ssumatchtype_selfsub #define DNS_SSUMATCHTYPE_SELFWILD dns_ssumatchtype_selfwild #define DNS_SSUMATCHTYPE_SELFKRB5 dns_ssumatchtype_selfkrb5 #define DNS_SSUMATCHTYPE_SELFMS dns_ssumatchtype_selfms #define DNS_SSUMATCHTYPE_SUBDOMAINMS dns_ssumatchtype_subdomainms #define DNS_SSUMATCHTYPE_SUBDOMAINKRB5 dns_ssumatchtype_subdomainkrb5 #define DNS_SSUMATCHTYPE_TCPSELF dns_ssumatchtype_tcpself #define DNS_SSUMATCHTYPE_6TO4SELF dns_ssumatchtype_6to4self #define DNS_SSUMATCHTYPE_EXTERNAL dns_ssumatchtype_external #define DNS_SSUMATCHTYPE_LOCAL dns_ssumatchtype_local #define DNS_SSUMATCHTYPE_MAX dns_ssumatchtype_max /* max value */ #define DNS_SSUMATCHTYPE_DLZ dns_ssumatchtype_dlz /* intentionally higher than _MAX */ isc_result_t dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table); /*%< * Creates a table that will be used to store simple-secure-update rules. * Note: all locking must be provided by the client. * * Requires: *\li 'mctx' is a valid memory context *\li 'table' is not NULL, and '*table' is NULL * * Returns: *\li ISC_R_SUCCESS *\li ISC_R_NOMEMORY */ isc_result_t dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep, dns_dlzdb_t *dlzdatabase); /*%< * Create an SSU table that contains a dlzdatabase pointer, and a * single rule with matchtype DNS_SSUMATCHTYPE_DLZ. This type of SSU * table is used by writeable DLZ drivers to offload authorization for * updates to the driver. */ void dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp); /*%< * Attach '*targetp' to 'source'. * * Requires: *\li 'source' is a valid SSU table *\li 'targetp' points to a NULL dns_ssutable_t *. * * Ensures: *\li *targetp is attached to source. */ void dns_ssutable_detach(dns_ssutable_t **tablep); /*%< * Detach '*tablep' from its simple-secure-update rule table. * * Requires: *\li 'tablep' points to a valid dns_ssutable_t * * Ensures: *\li *tablep is NULL *\li If '*tablep' is the last reference to the SSU table, all * resources used by the table will be freed. */ isc_result_t dns_ssutable_addrule(dns_ssutable_t *table, bool grant, dns_name_t *identity, unsigned int matchtype, dns_name_t *name, unsigned int ntypes, dns_rdatatype_t *types); /*%< * Adds a new rule to a simple-secure-update rule table. The rule * either grants or denies update privileges of an identity (or set of * identities) to modify a name (or set of names) or certain types present * at that name. * * Notes: *\li If 'matchtype' is of SELF type, this rule only matches if the * name to be updated matches the signing identity. * *\li If 'ntypes' is 0, this rule applies to all types except * NS, SOA, RRSIG, and NSEC. * *\li If 'types' includes ANY, this rule applies to all types * except NSEC. * * Requires: *\li 'table' is a valid SSU table *\li 'identity' is a valid absolute name *\li 'matchtype' must be one of the defined constants. *\li 'name' is a valid absolute name *\li If 'ntypes' > 0, 'types' must not be NULL * * Returns: *\li ISC_R_SUCCESS *\li ISC_R_NOMEMORY */ bool dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *addr, dns_rdatatype_t type, const dst_key_t *key); bool dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *addr, bool tcp, const dns_aclenv_t *env, dns_rdatatype_t type, const dst_key_t *key); /*%< * Checks that the attempted update of (name, type) is allowed according * to the rules specified in the simple-secure-update rule table. If * no rules are matched, access is denied. * * Notes: * In dns_ssutable_checkrules(), 'addr' should only be * set if the request received via TCP. This provides a * weak assurance that the request was not spoofed. * 'addr' is to to validate DNS_SSUMATCHTYPE_TCPSELF * and DNS_SSUMATCHTYPE_6TO4SELF rules. * * In dns_ssutable_checkrules2(), 'addr' can also be passed for * UDP requests and TCP is specified via the 'tcp' parameter. * In addition to DNS_SSUMATCHTYPE_TCPSELF and * tcp_ssumatchtype_6to4self rules, the address * also be used to check DNS_SSUMATCHTYPE_LOCAL rules. * If 'addr' is set then 'env' must also be set so that * requests from non-localhost addresses can be rejected. * * For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to * the standard reverse names under IN-ADDR.ARPA and IP6.ARPA. * RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596, * Section 2.5, "IP6.ARPA Domain". * * For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted * to a 6to4 prefix (48 bits) per the rules in RFC 3056. Only * the top 48 bits of the IPv6 address are mapped to the reverse * name. This is independent of whether the most significant 16 * bits match 2002::/16, assigned for 6to4 prefixes, or not. * * Requires: *\li 'table' is a valid SSU table *\li 'signer' is NULL or a valid absolute name *\li 'addr' is NULL or a valid network address. *\li 'aclenv' is NULL or a valid ACL environment. *\li 'name' is a valid absolute name *\li if 'addr' is not NULL, 'env' is not NULL. */ /*% Accessor functions to extract rule components */ bool dns_ssurule_isgrant(const dns_ssurule_t *rule); /*% Accessor functions to extract rule components */ dns_name_t * dns_ssurule_identity(const dns_ssurule_t *rule); /*% Accessor functions to extract rule components */ unsigned int dns_ssurule_matchtype(const dns_ssurule_t *rule); /*% Accessor functions to extract rule components */ dns_name_t * dns_ssurule_name(const dns_ssurule_t *rule); /*% Accessor functions to extract rule components */ unsigned int dns_ssurule_types(const dns_ssurule_t *rule, dns_rdatatype_t **types); isc_result_t dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule); /*%< * Initiates a rule iterator. There is no need to maintain any state. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMORE */ isc_result_t dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule); /*%< * Returns the next rule in the table. * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOMORE */ bool dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr, dns_rdatatype_t type, const dst_key_t *key, isc_mem_t *mctx); /*%< * Check a policy rule via an external application */ isc_result_t dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype); /*%< * Set 'mtype' from 'str' * * Requires: *\li 'str' is not NULL. *\li 'mtype' is not NULL, * * Returns: *\li #ISC_R_SUCCESS *\li #ISC_R_NOTFOUND */ ISC_LANG_ENDDECLS #endif /* DNS_SSU_H */