diff options
| author | Lennart Poettering <lennart@poettering.net> | 2015-12-02 21:20:37 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2015-12-02 22:50:11 +0100 |
| commit | 2b442ac87838be7c326c984d8751c96dee7258ab (patch) | |
| tree | 33ba2c1c236a65daeeef6710b59c037c621cc7a1 /src/shared | |
| parent | 4e2d538f33df8a425487aaa4facc23065a9bdaf7 (diff) | |
resolved: add basic DNSSEC support
This adds most basic operation for doing DNSSEC validation on the
client side. However, it does not actually add the verification logic to
the resolver. Specifically, this patch only includes:
- Verifying DNSKEY RRs against a DS RRs
- Verifying RRSets against a combination of RRSIG and DNSKEY RRs
- Matching up RRSIG RRs and DNSKEY RRs
- Matching up RR keys and RRSIG RRs
- Calculating the DNSSEC key tag from a DNSKEY RR
All currently used DNSSEC combinations of SHA and RSA are implemented. Support
for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably
obsolete, and shouldn't be added. EC should probably be added
eventually, if it actually is deployed on the Internet.
Diffstat (limited to 'src/shared')
| -rw-r--r-- | src/shared/dns-domain.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h index 17dab1da18..e48d8c6b9d 100644 --- a/src/shared/dns-domain.h +++ b/src/shared/dns-domain.h @@ -34,6 +34,9 @@ /* Maximum length of a full hostname, consisting of a series of unescaped labels, and no trailing dot or NUL byte */ #define DNS_HOSTNAME_MAX 253 +/* Maximum length of a full hostname, on the wire, including the final NUL byte */ +#define DNS_WIRE_FOMAT_HOSTNAME_MAX 255 + int dns_label_unescape(const char **name, char *dest, size_t sz); int dns_label_unescape_suffix(const char *name, const char **label_end, char *dest, size_t sz); int dns_label_escape(const char *p, size_t l, char *dest, size_t sz); |