Add Proof type for DNSSEC
This commit is contained in:
parent
0a2ee2c655
commit
552fa36dc3
@ -1,18 +1,9 @@
|
||||
/*
|
||||
* Copyright (C) 2015 Benjamin Fry <benjaminfry@me.com>
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
// Copyright 2015-2023 Benjamin Fry <benjaminfry@me.com>
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
|
||||
// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
|
||||
// https://opensource.org/licenses/MIT>, at your option. This file may not be
|
||||
// copied, modified, or distributed except according to those terms.
|
||||
|
||||
//! dns security extension related modules
|
||||
|
||||
@ -23,6 +14,7 @@ mod ec_public_key;
|
||||
mod key_format;
|
||||
mod keypair;
|
||||
mod nsec3;
|
||||
pub mod proof;
|
||||
pub mod public_key;
|
||||
pub mod rdata;
|
||||
#[cfg(any(feature = "openssl", feature = "ring"))]
|
||||
|
50
crates/proto/src/rr/dnssec/proof.rs
Normal file
50
crates/proto/src/rr/dnssec/proof.rs
Normal file
@ -0,0 +1,50 @@
|
||||
// Copyright 2015-2023 Benjamin Fry <benjaminfry@me.com>
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0, <LICENSE-APACHE or
|
||||
// https://apache.org/licenses/LICENSE-2.0> or the MIT license <LICENSE-MIT or
|
||||
// https://opensource.org/licenses/MIT>, at your option. This file may not be
|
||||
// copied, modified, or distributed except according to those terms.
|
||||
|
||||
/// Represents the status of a DNSSEC verified record.
|
||||
///
|
||||
/// see [RFC 4035, DNSSEC Protocol Modifications, March 2005](https://datatracker.ietf.org/doc/html/rfc4035#section-4.3)
|
||||
/// ```text
|
||||
/// 4.3. Determining Security Status of Data
|
||||
///
|
||||
/// A security-aware resolver MUST be able to determine whether it should
|
||||
/// expect a particular RRset to be signed. More precisely, a
|
||||
/// security-aware resolver must be able to distinguish between four
|
||||
/// cases:
|
||||
/// ```
|
||||
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
|
||||
pub enum Proof {
|
||||
/// An RRset for which the resolver is able to build a chain of
|
||||
/// signed DNSKEY and DS RRs from a trusted security anchor to the
|
||||
/// RRset. In this case, the RRset should be signed and is subject to
|
||||
/// signature validation, as described above.
|
||||
Secure,
|
||||
|
||||
/// An RRset for which the resolver knows that it has no chain
|
||||
/// of signed DNSKEY and DS RRs from any trusted starting point to the
|
||||
/// RRset. This can occur when the target RRset lies in an unsigned
|
||||
/// zone or in a descendent of an unsigned zone. In this case, the
|
||||
/// RRset may or may not be signed, but the resolver will not be able
|
||||
/// to verify the signature.
|
||||
Insecure,
|
||||
|
||||
/// An RRset for which the resolver believes that it ought to be
|
||||
/// able to establish a chain of trust but for which it is unable to
|
||||
/// do so, either due to signatures that for some reason fail to
|
||||
/// validate or due to missing data that the relevant DNSSEC RRs
|
||||
/// indicate should be present. This case may indicate an attack but
|
||||
/// may also indicate a configuration error or some form of data
|
||||
/// corruption.
|
||||
Bogus,
|
||||
|
||||
/// An RRset for which the resolver is not able to
|
||||
/// determine whether the RRset should be signed, as the resolver is
|
||||
/// not able to obtain the necessary DNSSEC RRs. This can occur when
|
||||
/// the security-aware resolver is not able to contact security-aware
|
||||
/// name servers for the relevant zones.
|
||||
Indeterminate,
|
||||
}
|
Loading…
Reference in New Issue
Block a user