1 files changed, 101 insertions, 0 deletions

diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
new file mode 100644
index 0000000000..e55bdaa1ed
--- /dev/null
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -0,0 +1,101 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+  This file is part of systemd.
+
+  Copyright 2015 Lennart Poettering
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "alloc-util.h"
+#include "resolved-dns-trust-anchor.h"
+
+/* The DS RR from https://data.iana.org/root-anchors/root-anchors.xml */
+static const uint8_t root_digest[] =
+        { 0x49, 0xAA, 0xC1, 0x1D, 0x7B, 0x6F, 0x64, 0x46, 0x70, 0x2E, 0x54, 0xA1, 0x60, 0x73, 0x71, 0x60,
+          0x7A, 0x1A, 0x41, 0x85, 0x52, 0x00, 0xFD, 0x2C, 0xE1, 0xCD, 0xDE, 0x32, 0xF2, 0x4E, 0x8F, 0xB5 };
+
+int dns_trust_anchor_load(DnsTrustAnchor *d) {
+        _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
+        _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
+        int r;
+
+        assert(d);
+
+        r = hashmap_ensure_allocated(&d->by_key, &dns_resource_key_hash_ops);
+        if (r < 0)
+                return r;
+
+        if (hashmap_get(d->by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DS, ".")))
+                return 0;
+
+        /* Add the RR from https://data.iana.org/root-anchors/root-anchors.xml */
+        rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "");
+        if (!rr)
+                return -ENOMEM;
+
+        rr->ds.key_tag = 19036;
+        rr->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+        rr->ds.digest_type = DNSSEC_DIGEST_SHA256;
+        rr->ds.digest_size = sizeof(root_digest);
+        rr->ds.digest = memdup(root_digest, rr->ds.digest_size);
+        if (!rr->ds.digest)
+                return  -ENOMEM;
+
+        answer = dns_answer_new(1);
+        if (!answer)
+                return -ENOMEM;
+
+        r = dns_answer_add(answer, rr, 0);
+        if (r < 0)
+                return r;
+
+        r = hashmap_put(d->by_key, rr->key, answer);
+        if (r < 0)
+                return r;
+
+        answer = NULL;
+        return 0;
+}
+
+void dns_trust_anchor_flush(DnsTrustAnchor *d) {
+        DnsAnswer *a;
+
+        assert(d);
+
+        while ((a = hashmap_steal_first(d->by_key)))
+                dns_answer_unref(a);
+
+        d->by_key = hashmap_free(d->by_key);
+}
+
+int dns_trust_anchor_lookup(DnsTrustAnchor *d, DnsResourceKey *key, DnsAnswer **ret) {
+        DnsAnswer *a;
+
+        assert(d);
+        assert(key);
+        assert(ret);
+
+        /* We only serve DS and DNSKEY RRs. */
+        if (!IN_SET(key->type, DNS_TYPE_DS, DNS_TYPE_DNSKEY))
+                return 0;
+
+        a = hashmap_get(d->by_key, key);
+        if (!a)
+                return 0;
+
+        *ret = dns_answer_ref(a);
+        return 1;
+}