Commit 6098d364 authored by Mark Andrews's avatar Mark Andrews

2448. [func] Add NSEC3 support. [RT #15452]

parent 931cb604
2448. [func] Add NSEC3 support. [RT #15452]
2447. [cleanup] libbind has been split out as a seperate product.
2446. [func] Add a new log message about build options on startup.
......
DNSSEC and UPDATE
Converting from insecure to secure
As of BIND 9.6.0 it is possible to move a zone between being insecure
to secure and back again. A secure zone can be using NSEC or NSEC3.
To move a zone from insecure to secure you need to configure named
so that it can see the K* files which contain the public and private
parts of the keys that will be used to sign the zone. These files
will have been generated by dnssec-keygen. You can do this by
placing them in the key-directory as specified in named.conf.
zone example.net {
type master;
allow-update { .... };
file "dynamic/example.net/example.net";
key-directory "dynamic/example.net";
};
Assuming one KSK and ons ZSK DNSKEY key has been generated. Then
this will cause the zone to be signed with the ZSK and the DNSKEY
RRset to be signed with the KSK DNSKEY. A NSEC chain will also be
generated as part of the initial signing process.
% nsupdate
> ttl 3600
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> send
While the update request will complete almost immediately the zone
will not be completely signed until named has hand time to walk the
zone and generate the NSEC and RRSIG records. Initially the NSEC
record at the zone apex will have the OPT bit set. When the NSEC
chain is complete the OPT bit will be cleared. Additionally when
the zone fully signed the private type (default TYPE65535) records
will have a non zero value for the final octet.
The private type record has 5 octets.
algorithm (octet 1)
key id in network order (octet 2 and 3)
removal flag (octet 4)
complete flag (octet 5)
If you wish to go straight to a secure zone using NSEC3 you should
also add a NSECPARAM record to the update request with the flags
field set to indicate whether the NSEC3 chain will have the OPTOUT
bit set or not.
% nsupdate
> ttl 3600
> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
> update add example.net NSEC3PARAM 1 1 100 1234567890
> send
Again the update request will complete almost immediately however the
NSEC3PARAM record will have additional flag bits set indicating that the
NSEC3 chain is under construction. When the NSEC3 chain is complete the
flags field will be set to zero.
While the initial signing and NSEC/NSEC3 chain generation is happening
other updates are possible.
DNSKEY roll overs via UPDATE
It is possible to perform key rollovers via update. You need to
add the K* files for the new keys so that named can find them. You
can then add the new DNSKEY RRs via update. Named will then cause
the zone to be signed with the new keys. When the signing is
complete the private type records will be updated so that the last
octet is non zero.
If this is for a KSK you need to inform the parent and any trust
anchor repositories of the new KSK.
You should then wait for the maximum TLL in the zone before removing the
old DNSKEY. If it is a KSK that is being updated you also need to wait
for the DS RRset in the parent to be updated and its TTL to expire.
This ensures that all clients will be able to verify atleast a signature
when you remove the old DNSKEY.
The can be removed the old DNSKEY via UPDATE. Take care to specify
the correct key. Named will clean out any signatures generated by
the old key after the update completes.
NSEC3PARAM rollovers via UPDATE.
Add the new NSEC3PARAM record via update. When the new NSEC3 chain
has been generated the NSEC3PARAM flag field will be zero. At this
point you can remove the old NSEC3PARAM record. The old chain will
be removed after the update request completes.
Converting from NSEC to NSEC3
To do this you just need to add a NSEC3PARAM record. When the
conversion is complete the NSEC chain will have been removed and
the NSEC3PARAM record will have a zero flag field. The NSEC3 chain
will be generated before the NSEC chain is destroyed.
Converting from NSEC3 to NSEC
To do this remove all NSEC3PARAM records with a zero flag field. The
NSEC chain will be generated before the NSEC3 chain is removed.
Converting from secure to insecure
To do this remove all the DNSKEY records. Any NSEC or NSEC3 chains
will be removed as will as associated NSEC3PARAM records. The will
take place after the update requests completes.
Periodic re-signing.
Named will periodically re-sign RRsets which have not been re-signed
as a result of some update action. The signature lifetimes will
be adjusted so as to spread the re-sign load over time rather than
all at once.
NSEC3 and OPTOUT
Named only supports creating new NSEC3 chains where all the NSEC3
records in the zone have the same OPTOUT state. Named supports
UPDATES to zones where the NSEC3 records in the chain have mixed
OPTOUT state. Named does not support changing the OPTOUT state of
an individual NSEC3 record, the entire chain needs to be changed if
the OPTOUT state of an individual NSEC3 needs to be changed.
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.3 2008/03/31 23:47:11 tbox Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */
/*! \file */
......@@ -47,7 +47,8 @@
const char *program = "dnssec-keyfromlabel";
int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1";
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
" NSEC3DSA | NSEC3RSASHA1";
static void
usage(void) {
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.3 2008/03/31 23:47:11 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.4 2008/09/24 02:46:21 marka Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>february 8, 2008</date>
......@@ -76,8 +76,8 @@
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA)
or RSASHA1, DSA or DH (Diffie Hellman). These values
are case insensitive.
or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
These values are case insensitive.
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.79 2007/08/28 07:20:42 tbox Exp $ */
/* $Id: dnssec-keygen.c,v 1.80 2008/09/24 02:46:21 marka Exp $ */
/*! \file */
......@@ -62,8 +62,9 @@
const char *program = "dnssec-keygen";
int verbose;
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
" HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |"
" NSEC3RSASHA1 | HMAC-MD5 |"
" HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
" HMAC-SHA384 | HMAC-SHA512";
static isc_boolean_t
......@@ -82,8 +83,10 @@ usage(void) {
fprintf(stderr, " -b key size, in bits:\n");
fprintf(stderr, " RSAMD5:\t\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " RSASHA1:\t\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA);
fprintf(stderr, " DH:\t\t[128..4096]\n");
fprintf(stderr, " DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " NSEC3DSA:\t\t[512..1024] and divisible by 64\n");
fprintf(stderr, " HMAC-MD5:\t[1..512]\n");
fprintf(stderr, " HMAC-SHA1:\t[1..160]\n");
fprintf(stderr, " HMAC-SHA224:\t[1..224]\n");
......@@ -303,6 +306,7 @@ main(int argc, char **argv) {
switch (alg) {
case DNS_KEYALG_RSAMD5:
case DNS_KEYALG_RSASHA1:
case DNS_KEYALG_NSEC3RSASHA1:
if (size != 0 && (size < 512 || size > MAX_RSA))
fatal("RSA key size %d out of range", size);
break;
......@@ -311,6 +315,7 @@ main(int argc, char **argv) {
fatal("DH key size %d out of range", size);
break;
case DNS_KEYALG_DSA:
case DNS_KEYALG_NSEC3DSA:
if (size != 0 && !dsa_size_ok(size))
fatal("invalid DSS key size: %d", size);
break;
......@@ -370,8 +375,8 @@ main(int argc, char **argv) {
break;
}
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
rsa_exp != 0)
if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
fatal("specified RSA exponent for a non-RSA key");
if (alg != DNS_KEYALG_DH && generator != 0)
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.19 2007/06/18 23:47:17 tbox Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.20 2008/09/24 02:46:21 marka Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -91,13 +91,13 @@
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
are case insensitive.
DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
These values are case insensitive.
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm,
and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
......
This diff is collapsed.
......@@ -2,7 +2,7 @@
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "&#8212;">]>
<!--
- Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and/or distribute this software for any
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.27 2007/06/18 23:47:18 tbox Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.28 2008/09/24 02:46:21 marka Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -41,6 +41,7 @@
<year>2005</year>
<year>2006</year>
<year>2007</year>
<year>2008</year>
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
</copyright>
<copyright>
......@@ -76,6 +77,9 @@
<arg><option>-t</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
<arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
<arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
<arg><option>-A</option></arg>
<arg choice="req">zonefile</arg>
<arg rep="repeat">key</arg>
</cmdsynopsis>
......@@ -398,6 +402,38 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-3 <replaceable class="parameter">salt</replaceable></term>
<listitem>
<para>
Generate a NSEC3 chain with the given hex encoded salt.
A dash (<replaceable class="parameter">salt</replaceable>) can
be used to indicate that no salt is to be used when generating the NSEC3 chain.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-H <replaceable class="parameter">iterations</replaceable></term>
<listitem>
<para>
When generating a NSEC3 chain use this many interations. The
default is 100.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
When generating a NSEC3 chain set the OPTOUT flag on all
NSEC3 records and do not generate NSEC3 records for insecure
delegations.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssectool.h,v 1.20 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: dnssectool.h,v 1.21 2008/09/24 02:46:21 marka Exp $ */
#ifndef DNSSECTOOL_H
#define DNSSECTOOL_H 1
......@@ -41,7 +41,7 @@ vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
void
type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
#define TYPE_FORMATSIZE 10
#define TYPE_FORMATSIZE 20
void
alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.90 2008/09/04 05:56:42 marka Exp $ */
/* $Id: config.c,v 1.91 2008/09/24 02:46:21 marka Exp $ */
/*! \file */
......@@ -145,6 +145,7 @@ options {\n\
clients-per-query 10;\n\
max-clients-per-query 100;\n\
zero-no-soa-ttl-cache no;\n\
nsec3-test-zone no;\n\
"
" /* zone */\n\
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.38 2008/09/04 05:56:42 marka Exp $ -->
<!-- $Id: named.conf.docbook,v 1.39 2008/09/24 02:46:21 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -341,6 +341,8 @@ options {
zero-no-soa-ttl <replaceable>boolean</replaceable>;
zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
nsec3-test-zone <replaceable>boolean</replaceable>; // testing only
allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
fake-iquery <replaceable>boolean</replaceable>; // obsolete
......@@ -588,6 +590,8 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
try-tcp-refresh <replaceable>boolean</replaceable>;
key-directory <replaceable>quoted_string</replaceable>;
nsec3-test-zone <replaceable>boolean</replaceable>; // testing only
ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
......
This diff is collapsed.
This diff is collapsed.
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: xfrout.c,v 1.129 2008/08/15 19:36:49 jinmei Exp $ */
/* $Id: xfrout.c,v 1.130 2008/09/24 02:46:21 marka Exp $ */
#include <config.h>
......@@ -169,7 +169,7 @@ db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
it->ver = ver;
it->now = now;
it->node = NULL;
result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit);
result = dns_db_createiterator(it->db, 0, &it->dbit);
if (result != ISC_R_SUCCESS)
return (result);
it->rdatasetit = NULL;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.146 2008/05/21 23:47:00 tbox Exp $ */
/* $Id: zoneconf.c,v 1.147 2008/09/24 02:46:21 marka Exp $ */
/*% */
......@@ -716,6 +716,12 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
obj = NULL;
result = ns_config_get(maps, "nsec3-test-zone", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
cfg_obj_asboolean(obj));
}
/*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.159 2008/04/02 02:37:41 marka Exp $ */
/* $Id: nsupdate.c,v 1.160 2008/09/24 02:46:21 marka Exp $ */
/*! \file */
......@@ -162,6 +162,8 @@ static unsigned int udp_retries = 3;
static dns_rdataclass_t defaultclass = dns_rdataclass_in;
static dns_rdataclass_t zoneclass = dns_rdataclass_none;
static dns_message_t *answer = NULL;
static isc_uint32_t default_ttl = 0;
static isc_boolean_t default_ttl_set = ISC_FALSE;
typedef struct nsu_requestinfo {
dns_message_t *msg;
......@@ -1386,6 +1388,33 @@ evaluate_zone(char *cmdline) {
return (STATUS_MORE);
}
static isc_uint16_t
evaluate_ttl(char *cmdline) {
char *word;
isc_result_t result;
isc_uint32_t ttl;
word = nsu_strsep(&cmdline, " \t\r\n");
if (*word == 0) {
fprintf(stderr, "could not ttl\n");
return (STATUS_SYNTAX);
}
result = isc_parse_uint32(&ttl, word, 10);
if (result != ISC_R_SUCCESS)
return (STATUS_SYNTAX);
if (ttl > TTL_MAX) {
fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
word, TTL_MAX);
return (STATUS_SYNTAX);
}
default_ttl = ttl;
default_ttl_set = ISC_TRUE;
return (STATUS_MORE);
}
static isc_uint16_t
evaluate_class(char *cmdline) {
char *word;
......@@ -1470,6 +1499,9 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
if (isdelete) {
ttl = 0;
goto parseclass;
} else if (default_ttl_set) {
ttl = default_ttl;
goto parseclass;
} else {
fprintf(stderr, "ttl '%s': %s\n", word,
isc_result_totext(result));
......@@ -1718,6 +1750,15 @@ get_next_command(void) {
return (evaluate_class(cmdline));
if (strcasecmp(word, "send") == 0)
return (STATUS_SEND);
if (strcasecmp(word, "debug") == 0) {
if (debugging)
ddebugging = ISC_TRUE;
else
debugging = ISC_TRUE;
return (STATUS_MORE);
}
if (strcasecmp(word, "ttl") == 0)
return (evaluate_ttl(cmdline));
if (strcasecmp(word, "show") == 0) {
show_message(stdout, updatemsg, "Outgoing update query:");
return (STATUS_MORE);
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: nsupdate.docbook,v 1.32 2008/08/29 03:16:14 marka Exp $ -->
<!-- $Id: nsupdate.docbook,v 1.33 2008/09/24 02:46:21 marka Exp $ -->
<refentry id="man.nsupdate">
<refentryinfo>
<date>Jun 30, 2000</date>
......@@ -55,6 +55,7 @@
<cmdsynopsis>
<command>nsupdate</command>
<arg><option>-d</option></arg>
<arg><option>-D</option></arg>
<group>
<arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
<arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
......@@ -102,6 +103,10 @@
This provides tracing information about the update requests that are
made and the replies received from the name server.
</para>
<para>
The <option>-D</option> option makes <command>nsupdate</command>
report additional debugging information to <option>-d</option>.
</para>
<para>
Transaction signatures can be used to authenticate the Dynamic DNS
updates.
......
......@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.129 2007/06/19 23:46:59 tbox Exp $
# $Id: Makefile.in,v 1.130 2008/09/24 02:46:21 marka Exp $
srcdir = @srcdir@
VPATH = @srcdir@
......@@ -62,6 +62,7 @@ XTARGETS = adb_test@EXEEXT@ \
gxba_test@EXEEXT@ \
gxbn_test@EXEEXT@ \
hash_test@EXEEXT@ \
nsec3hash@EXEEXT@ \
fsaccess_test@EXEEXT@ \
inter_test@EXEEXT@ \
journalprint@EXEEXT@ \
......@@ -285,6 +286,10 @@ cfg_test@EXEEXT@: cfg_test.@O@ ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ cfg_test.@O@ \
${ISCCFGLIBS} ${DNSLIBS} ${ISCLIBS} ${LIBS}
nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
${LIBTOOL_MODE_LINK} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ nsec3hash.@O@ \
${DNSLIBS} ${ISCLIBS} ${LIBS}
distclean::
rm -f headerdep_test.sh
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: db_test.c,v 1.64 2007/06/19 23:46:59 tbox Exp $ */
/* $Id: db_test.c,v 1.65 2008/09/24 02:46:21 marka Exp $ */
/*! \file
* \author
......@@ -177,8 +177,7 @@ list(dbinfo *dbi, char *seektext) {
dns_db_currentversion(dbi->db, &dbi->iversion);
}
result = dns_db_createiterator(dbi->db, ISC_FALSE,
&dbi->dbiterator);
result = dns_db_createiterator(dbi->db, 0, &dbi->dbiterator);
if (result == ISC_R_SUCCESS) {
if (seektext != NULL) {
len = strlen(seektext);
......
/*
* Copyright (C) 2006 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsec3hash.c,v 1.2 2008/09/24 02:46:21 marka Exp $ */
#include <config.h>
#include <stdlib.h>
#include <stdarg.h>
#include <isc/base32.h>
#include <isc/buffer.h>
#include <isc/hex.h>
#include <isc/iterated_hash.h>
#include <isc/print.h>
#include <isc/result.h>
#include <isc/string.h>
#include <isc/types.h>
#include <dns/fixedname.h>
#include <dns/name.h>
#include <dns/types.h>