Add Proof type for DNSSEC

crates/proto/src/rr/dnssec/mod.rs

@@ -1,18 +1,9 @@
-/*
- * Copyright (C) 2015 Benjamin Fry <benjaminfry@me.com>
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
+// Copyright 2015-2023 Benjamin Fry <benjaminfry@me.com>
+//
+// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
+// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
+// https://opensource.org/licenses/MIT>, at your option. This file may not be
+// copied, modified, or distributed except according to those terms.
 
 //! dns security extension related modules
 
@@ -23,6 +14,7 @@ mod ec_public_key;
 mod key_format;
 mod keypair;
 mod nsec3;
+pub mod proof;
 pub mod public_key;
 pub mod rdata;
 #[cfg(any(feature = "openssl", feature = "ring"))]

crates/proto/src/rr/dnssec/proof.rs

@@ -0,0 +1,50 @@
+// Copyright 2015-2023 Benjamin Fry <benjaminfry@me.com>
+//
+// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
+// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
+// https://opensource.org/licenses/MIT>, at your option. This file may not be
+// copied, modified, or distributed except according to those terms.
+
+/// Represents the status of a DNSSEC verified record.
+///
+/// see [RFC 4035, DNSSEC Protocol Modifications, March 2005](https://datatracker.ietf.org/doc/html/rfc4035#section-4.3)
+/// ```text
+/// 4.3.  Determining Security Status of Data
+///
+///   A security-aware resolver MUST be able to determine whether it should
+///   expect a particular RRset to be signed.  More precisely, a
+///   security-aware resolver must be able to distinguish between four
+///   cases:
+/// ```
+#[derive(Copy, Clone, Debug, Eq, PartialEq)]
+pub enum Proof {
+    /// An RRset for which the resolver is able to build a chain of
+    ///   signed DNSKEY and DS RRs from a trusted security anchor to the
+    ///   RRset.  In this case, the RRset should be signed and is subject to
+    ///   signature validation, as described above.
+    Secure,
+
+    /// An RRset for which the resolver knows that it has no chain
+    ///   of signed DNSKEY and DS RRs from any trusted starting point to the
+    ///   RRset.  This can occur when the target RRset lies in an unsigned
+    ///   zone or in a descendent of an unsigned zone.  In this case, the
+    ///   RRset may or may not be signed, but the resolver will not be able
+    ///   to verify the signature.
+    Insecure,
+
+    /// An RRset for which the resolver believes that it ought to be
+    ///   able to establish a chain of trust but for which it is unable to
+    ///   do so, either due to signatures that for some reason fail to
+    ///   validate or due to missing data that the relevant DNSSEC RRs
+    ///   indicate should be present.  This case may indicate an attack but
+    ///   may also indicate a configuration error or some form of data
+    ///   corruption.
+    Bogus,
+
+    /// An RRset for which the resolver is not able to
+    ///   determine whether the RRset should be signed, as the resolver is
+    ///   not able to obtain the necessary DNSSEC RRs.  This can occur when
+    ///   the security-aware resolver is not able to contact security-aware
+    ///   name servers for the relevant zones.
+    Indeterminate,
+}