|
|
900526 |
From 620b1c9d90d0a59a0d892fef089ce4f5f6f61742 Mon Sep 17 00:00:00 2001
|
|
|
900526 |
From: Tomas Hozza <thozza@redhat.com>
|
|
|
900526 |
Date: Fri, 1 Apr 2016 15:20:27 +0200
|
|
|
900526 |
Subject: [PATCH] Added support for CAA records
|
|
|
900526 |
|
|
|
900526 |
Signed-off-by: Tomas Hozza <thozza@redhat.com>
|
|
|
900526 |
---
|
|
|
900526 |
bin/tests/rdata_test.c | 17 +-
|
|
|
900526 |
doc/rfc/rfc6844.txt | 1011 ++++++++++++++++++++++++++++++++++++++
|
|
|
900526 |
lib/dns/rdata.c | 95 ++--
|
|
|
900526 |
lib/dns/rdata/generic/caa_257.c | 370 ++++++++++++++
|
|
|
900526 |
lib/dns/rdata/generic/caa_257.h | 32 ++
|
|
|
900526 |
lib/dns/rdata/generic/gpos_27.c | 2 +-
|
|
|
900526 |
lib/dns/rdata/generic/hinfo_13.c | 4 +-
|
|
|
900526 |
lib/dns/rdata/generic/isdn_20.c | 4 +-
|
|
|
900526 |
lib/dns/rdata/generic/naptr_35.c | 6 +-
|
|
|
900526 |
lib/dns/rdata/generic/spf_99.c | 2 +-
|
|
|
900526 |
lib/dns/rdata/generic/txt_16.c | 2 +-
|
|
|
900526 |
lib/dns/rdata/generic/uri_256.c | 23 +-
|
|
|
900526 |
lib/dns/rdata/generic/x25_19.c | 2 +-
|
|
|
900526 |
13 files changed, 1478 insertions(+), 92 deletions(-)
|
|
|
900526 |
create mode 100644 doc/rfc/rfc6844.txt
|
|
|
900526 |
create mode 100644 lib/dns/rdata/generic/caa_257.c
|
|
|
900526 |
create mode 100644 lib/dns/rdata/generic/caa_257.h
|
|
|
900526 |
|
|
|
900526 |
diff --git a/bin/tests/rdata_test.c b/bin/tests/rdata_test.c
|
|
|
900526 |
index 51cc406..0f25364 100644
|
|
|
900526 |
--- a/bin/tests/rdata_test.c
|
|
|
900526 |
+++ b/bin/tests/rdata_test.c
|
|
|
900526 |
@@ -15,8 +15,6 @@
|
|
|
900526 |
* PERFORMANCE OF THIS SOFTWARE.
|
|
|
900526 |
*/
|
|
|
900526 |
|
|
|
900526 |
-/* $Id: rdata_test.c,v 1.52 2011/08/28 09:10:41 marka Exp $ */
|
|
|
900526 |
-
|
|
|
900526 |
#include <config.h>
|
|
|
900526 |
|
|
|
900526 |
#include <stdlib.h>
|
|
|
900526 |
@@ -284,6 +282,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
|
|
|
900526 |
result = dns_rdata_tostruct(rdata, sp = &uri, NULL);
|
|
|
900526 |
break;
|
|
|
900526 |
}
|
|
|
900526 |
+ case dns_rdatatype_caa: {
|
|
|
900526 |
+ static dns_rdata_caa_t caa;
|
|
|
900526 |
+ result = dns_rdata_tostruct(rdata, sp = &caa, NULL);
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
case dns_rdatatype_wks: {
|
|
|
900526 |
static dns_rdata_in_wks_t in_wks;
|
|
|
900526 |
result = dns_rdata_tostruct(rdata, sp = &in_wks, NULL);
|
|
|
900526 |
@@ -551,6 +554,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
|
|
|
900526 |
result = dns_rdata_tostruct(rdata, sp = &uri, mctx);
|
|
|
900526 |
break;
|
|
|
900526 |
}
|
|
|
900526 |
+ case dns_rdatatype_caa: {
|
|
|
900526 |
+ static dns_rdata_caa_t caa;
|
|
|
900526 |
+ result = dns_rdata_tostruct(rdata, sp = &caa, mctx);
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
case dns_rdatatype_wks: {
|
|
|
900526 |
static dns_rdata_in_wks_t in_wks;
|
|
|
900526 |
result = dns_rdata_tostruct(rdata, sp = &in_wks, mctx);
|
|
|
900526 |
@@ -848,6 +856,11 @@ viastruct(dns_rdata_t *rdata, isc_mem_t *mctx,
|
|
|
900526 |
result = dns_rdata_fromstruct(rdata2, rdc, rdt, &uri, b);
|
|
|
900526 |
break;
|
|
|
900526 |
}
|
|
|
900526 |
+ case dns_rdatatype_caa: {
|
|
|
900526 |
+ dns_rdata_caa_t caa;
|
|
|
900526 |
+ result = dns_rdata_fromstruct(rdata2, rdc, rdt, &caa, b);
|
|
|
900526 |
+ break;
|
|
|
900526 |
+ }
|
|
|
900526 |
case dns_rdatatype_wks: {
|
|
|
900526 |
dns_rdata_in_wks_t in_wks;
|
|
|
900526 |
result = dns_rdata_fromstruct(rdata2, rdc, rdt, &in_wks, b);
|
|
|
900526 |
diff --git a/doc/rfc/rfc6844.txt b/doc/rfc/rfc6844.txt
|
|
|
900526 |
new file mode 100644
|
|
|
900526 |
index 0000000..d923649
|
|
|
900526 |
--- /dev/null
|
|
|
900526 |
+++ b/doc/rfc/rfc6844.txt
|
|
|
900526 |
@@ -0,0 +1,1011 @@
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Internet Engineering Task Force (IETF) P. Hallam-Baker
|
|
|
900526 |
+Request for Comments: 6844 Comodo Group, Inc.
|
|
|
900526 |
+Category: Standards Track R. Stradling
|
|
|
900526 |
+ISSN: 2070-1721 Comodo CA, Ltd.
|
|
|
900526 |
+ January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ DNS Certification Authority Authorization (CAA) Resource Record
|
|
|
900526 |
+
|
|
|
900526 |
+Abstract
|
|
|
900526 |
+
|
|
|
900526 |
+ The Certification Authority Authorization (CAA) DNS Resource Record
|
|
|
900526 |
+ allows a DNS domain name holder to specify one or more Certification
|
|
|
900526 |
+ Authorities (CAs) authorized to issue certificates for that domain.
|
|
|
900526 |
+ CAA Resource Records allow a public Certification Authority to
|
|
|
900526 |
+ implement additional controls to reduce the risk of unintended
|
|
|
900526 |
+ certificate mis-issue. This document defines the syntax of the CAA
|
|
|
900526 |
+ record and rules for processing CAA records by certificate issuers.
|
|
|
900526 |
+
|
|
|
900526 |
+Status of This Memo
|
|
|
900526 |
+
|
|
|
900526 |
+ This is an Internet Standards Track document.
|
|
|
900526 |
+
|
|
|
900526 |
+ This document is a product of the Internet Engineering Task Force
|
|
|
900526 |
+ (IETF). It represents the consensus of the IETF community. It has
|
|
|
900526 |
+ received public review and has been approved for publication by the
|
|
|
900526 |
+ Internet Engineering Steering Group (IESG). Further information on
|
|
|
900526 |
+ Internet Standards is available in Section 2 of RFC 5741.
|
|
|
900526 |
+
|
|
|
900526 |
+ Information about the current status of this document, any errata,
|
|
|
900526 |
+ and how to provide feedback on it may be obtained at
|
|
|
900526 |
+ http://www.rfc-editor.org/info/rfc6844.
|
|
|
900526 |
+
|
|
|
900526 |
+Copyright Notice
|
|
|
900526 |
+
|
|
|
900526 |
+ Copyright (c) 2013 IETF Trust and the persons identified as the
|
|
|
900526 |
+ document authors. All rights reserved.
|
|
|
900526 |
+
|
|
|
900526 |
+ This document is subject to BCP 78 and the IETF Trust's Legal
|
|
|
900526 |
+ Provisions Relating to IETF Documents
|
|
|
900526 |
+ (http://trustee.ietf.org/license-info) in effect on the date of
|
|
|
900526 |
+ publication of this document. Please review these documents
|
|
|
900526 |
+ carefully, as they describe your rights and restrictions with respect
|
|
|
900526 |
+ to this document. Code Components extracted from this document must
|
|
|
900526 |
+ include Simplified BSD License text as described in Section 4.e of
|
|
|
900526 |
+ the Trust Legal Provisions and are provided without warranty as
|
|
|
900526 |
+ described in the Simplified BSD License.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 1]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Table of Contents
|
|
|
900526 |
+
|
|
|
900526 |
+ 1. Introduction ....................................................2
|
|
|
900526 |
+ 2. Definitions .....................................................3
|
|
|
900526 |
+ 2.1. Requirements Language ......................................3
|
|
|
900526 |
+ 2.2. Defined Terms ..............................................3
|
|
|
900526 |
+ 3. The CAA RR Type .................................................5
|
|
|
900526 |
+ 4. Certification Authority Processing ..............................7
|
|
|
900526 |
+ 4.1. Use of DNS Security ........................................8
|
|
|
900526 |
+ 5. Mechanism .......................................................8
|
|
|
900526 |
+ 5.1. Syntax .....................................................8
|
|
|
900526 |
+ 5.1.1. Canonical Presentation Format ......................10
|
|
|
900526 |
+ 5.2. CAA issue Property ........................................10
|
|
|
900526 |
+ 5.3. CAA issuewild Property ....................................12
|
|
|
900526 |
+ 5.4. CAA iodef Property ........................................12
|
|
|
900526 |
+ 6. Security Considerations ........................................13
|
|
|
900526 |
+ 6.1. Non-Compliance by Certification Authority .................13
|
|
|
900526 |
+ 6.2. Mis-Issue by Authorized Certification Authority ...........13
|
|
|
900526 |
+ 6.3. Suppression or Spoofing of CAA Records ....................13
|
|
|
900526 |
+ 6.4. Denial of Service .........................................14
|
|
|
900526 |
+ 6.5. Abuse of the Critical Flag ................................14
|
|
|
900526 |
+ 7. IANA Considerations ............................................14
|
|
|
900526 |
+ 7.1. Registration of the CAA Resource Record Type ..............14
|
|
|
900526 |
+ 7.2. Certification Authority Restriction Properties ............15
|
|
|
900526 |
+ 7.3. Certification Authority Restriction Flags .................15
|
|
|
900526 |
+ 8. Acknowledgements ...............................................16
|
|
|
900526 |
+ 9. References .....................................................16
|
|
|
900526 |
+ 9.1. Normative References ......................................16
|
|
|
900526 |
+ 9.2. Informative References ....................................17
|
|
|
900526 |
+
|
|
|
900526 |
+1. Introduction
|
|
|
900526 |
+
|
|
|
900526 |
+ The Certification Authority Authorization (CAA) DNS Resource Record
|
|
|
900526 |
+ allows a DNS domain name holder to specify the Certification
|
|
|
900526 |
+ Authorities (CAs) authorized to issue certificates for that domain.
|
|
|
900526 |
+ Publication of CAA Resource Records allows a public Certification
|
|
|
900526 |
+ Authority to implement additional controls to reduce the risk of
|
|
|
900526 |
+ unintended certificate mis-issue.
|
|
|
900526 |
+
|
|
|
900526 |
+ Like the TLSA record defined in DNS-Based Authentication of Named
|
|
|
900526 |
+ Entities (DANE) [RFC6698], CAA records are used as a part of a
|
|
|
900526 |
+ mechanism for checking PKIX certificate data. The distinction
|
|
|
900526 |
+ between the two specifications is that CAA records specify an
|
|
|
900526 |
+ authorization control to be performed by a certificate issuer before
|
|
|
900526 |
+ issue of a certificate and TLSA records specify a verification
|
|
|
900526 |
+ control to be performed by a relying party after the certificate is
|
|
|
900526 |
+ issued.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 2]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Conformance with a published CAA record is a necessary but not
|
|
|
900526 |
+ sufficient condition for issuance of a certificate. Before issuing a
|
|
|
900526 |
+ certificate, a PKIX CA is required to validate the request according
|
|
|
900526 |
+ to the policies set out in its Certificate Policy. In the case of a
|
|
|
900526 |
+ public CA that validates certificate requests as a third party, the
|
|
|
900526 |
+ certificate will typically be issued under a public trust anchor
|
|
|
900526 |
+ certificate embedded in one or more relevant Relying Applications.
|
|
|
900526 |
+
|
|
|
900526 |
+ Criteria for inclusion of embedded trust anchor certificates in
|
|
|
900526 |
+ applications are outside the scope of this document. Typically, such
|
|
|
900526 |
+ criteria require the CA to publish a Certificate Practices Statement
|
|
|
900526 |
+ (CPS) that specifies how the requirements of the Certificate Policy
|
|
|
900526 |
+ (CP) are achieved. It is also common for a CA to engage an
|
|
|
900526 |
+ independent third-party auditor to prepare an annual audit statement
|
|
|
900526 |
+ of its performance against its CPS.
|
|
|
900526 |
+
|
|
|
900526 |
+ A set of CAA records describes only current grants of authority to
|
|
|
900526 |
+ issue certificates for the corresponding DNS domain. Since a
|
|
|
900526 |
+ certificate is typically valid for at least a year, it is possible
|
|
|
900526 |
+ that a certificate that is not conformant with the CAA records
|
|
|
900526 |
+ currently published was conformant with the CAA records published at
|
|
|
900526 |
+ the time that the certificate was issued. Relying Applications MUST
|
|
|
900526 |
+ NOT use CAA records as part of certificate validation.
|
|
|
900526 |
+
|
|
|
900526 |
+ CAA records MAY be used by Certificate Evaluators as a possible
|
|
|
900526 |
+ indicator of a security policy violation. Such use SHOULD take
|
|
|
900526 |
+ account of the possibility that published CAA records changed between
|
|
|
900526 |
+ the time a certificate was issued and the time at which the
|
|
|
900526 |
+ certificate was observed by the Certificate Evaluator.
|
|
|
900526 |
+
|
|
|
900526 |
+2. Definitions
|
|
|
900526 |
+
|
|
|
900526 |
+2.1. Requirements Language
|
|
|
900526 |
+
|
|
|
900526 |
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
|
|
|
900526 |
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
|
|
|
900526 |
+ document are to be interpreted as described in [RFC2119].
|
|
|
900526 |
+
|
|
|
900526 |
+2.2. Defined Terms
|
|
|
900526 |
+
|
|
|
900526 |
+ The following terms are used in this document:
|
|
|
900526 |
+
|
|
|
900526 |
+ Authorization Entry: An authorization assertion that grants or
|
|
|
900526 |
+ denies a specific set of permissions to a specific group of
|
|
|
900526 |
+ entities.
|
|
|
900526 |
+
|
|
|
900526 |
+ Certificate: An X.509 Certificate, as specified in [RFC5280].
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 3]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Certificate Evaluator: A party other than a relying party that
|
|
|
900526 |
+ evaluates the trustworthiness of certificates issued by
|
|
|
900526 |
+ Certification Authorities.
|
|
|
900526 |
+
|
|
|
900526 |
+ Certification Authority (CA): An issuer that issues certificates in
|
|
|
900526 |
+ accordance with a specified Certificate Policy.
|
|
|
900526 |
+
|
|
|
900526 |
+ Certificate Policy (CP): Specifies the criteria that a Certification
|
|
|
900526 |
+ Authority undertakes to meet in its issue of certificates. See
|
|
|
900526 |
+ [RFC3647].
|
|
|
900526 |
+
|
|
|
900526 |
+ Certification Practices Statement (CPS): Specifies the means by
|
|
|
900526 |
+ which the criteria of the Certificate Policy are met. In most
|
|
|
900526 |
+ cases, this will be the document against which the operations of
|
|
|
900526 |
+ the Certification Authority are audited. See [RFC3647].
|
|
|
900526 |
+
|
|
|
900526 |
+ Domain: A DNS Domain Name.
|
|
|
900526 |
+
|
|
|
900526 |
+ Domain Name: A DNS Domain Name as specified in [STD13].
|
|
|
900526 |
+
|
|
|
900526 |
+ Domain Name System (DNS): The Internet naming system specified in
|
|
|
900526 |
+ [STD13].
|
|
|
900526 |
+
|
|
|
900526 |
+ DNS Security (DNSSEC): Extensions to the DNS that provide
|
|
|
900526 |
+ authentication services as specified in [RFC4033], [RFC4034],
|
|
|
900526 |
+ [RFC4035], [RFC5155], and revisions.
|
|
|
900526 |
+
|
|
|
900526 |
+ Issuer: An entity that issues certificates. See [RFC5280].
|
|
|
900526 |
+
|
|
|
900526 |
+ Property: The tag-value portion of a CAA Resource Record.
|
|
|
900526 |
+
|
|
|
900526 |
+ Property Tag: The tag portion of a CAA Resource Record.
|
|
|
900526 |
+
|
|
|
900526 |
+ Property Value: The value portion of a CAA Resource Record.
|
|
|
900526 |
+
|
|
|
900526 |
+ Public Key Infrastructure X.509 (PKIX): Standards and specifications
|
|
|
900526 |
+ issued by the IETF that apply the [X.509] certificate standards
|
|
|
900526 |
+ specified by the ITU to Internet applications as specified in
|
|
|
900526 |
+ [RFC5280] and related documents.
|
|
|
900526 |
+
|
|
|
900526 |
+ Resource Record (RR): A particular entry in the DNS including the
|
|
|
900526 |
+ owner name, class, type, time to live, and data, as defined in
|
|
|
900526 |
+ [STD13] and [RFC2181].
|
|
|
900526 |
+
|
|
|
900526 |
+ Resource Record Set (RRSet): A set of Resource Records or a
|
|
|
900526 |
+ particular owner name, class, and type. The time to live on all
|
|
|
900526 |
+ RRs with an RRSet is always the same, but the data may be
|
|
|
900526 |
+ different among RRs in the RRSet.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 4]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Relying Party: A party that makes use of an application whose
|
|
|
900526 |
+ operation depends on use of a certificate for making a security
|
|
|
900526 |
+ decision. See [RFC5280].
|
|
|
900526 |
+
|
|
|
900526 |
+ Relying Application: An application whose operation depends on use
|
|
|
900526 |
+ of a certificate for making a security decision.
|
|
|
900526 |
+
|
|
|
900526 |
+3. The CAA RR Type
|
|
|
900526 |
+
|
|
|
900526 |
+ A CAA RR consists of a flags byte and a tag-value pair referred to as
|
|
|
900526 |
+ a property. Multiple properties MAY be associated with the same
|
|
|
900526 |
+ domain name by publishing multiple CAA RRs at that domain name. The
|
|
|
900526 |
+ following flag is defined:
|
|
|
900526 |
+
|
|
|
900526 |
+ Issuer Critical: If set to '1', indicates that the corresponding
|
|
|
900526 |
+ property tag MUST be understood if the semantics of the CAA record
|
|
|
900526 |
+ are to be correctly interpreted by an issuer.
|
|
|
900526 |
+
|
|
|
900526 |
+ Issuers MUST NOT issue certificates for a domain if the relevant
|
|
|
900526 |
+ CAA Resource Record set contains unknown property tags that have
|
|
|
900526 |
+ the Critical bit set.
|
|
|
900526 |
+
|
|
|
900526 |
+ The following property tags are defined:
|
|
|
900526 |
+
|
|
|
900526 |
+ issue <Issuer Domain Name> [; <name>=<value> ]* : The issue property
|
|
|
900526 |
+ entry authorizes the holder of the domain name
|
|
|
900526 |
+ Name> or a party acting under the explicit authority of the holder
|
|
|
900526 |
+ of that domain name to issue certificates for the domain in which
|
|
|
900526 |
+ the property is published.
|
|
|
900526 |
+
|
|
|
900526 |
+ issuewild <Issuer Domain Name> [; <name>=<value> ]* : The issuewild
|
|
|
900526 |
+ property entry authorizes the holder of the domain name
|
|
|
900526 |
+ Domain Name> or a party acting under the explicit authority of the
|
|
|
900526 |
+ holder of that domain name to issue wildcard certificates for the
|
|
|
900526 |
+ domain in which the property is published.
|
|
|
900526 |
+
|
|
|
900526 |
+ iodef <URL> : Specifies a URL to which an issuer MAY report
|
|
|
900526 |
+ certificate issue requests that are inconsistent with the issuer's
|
|
|
900526 |
+ Certification Practices or Certificate Policy, or that a
|
|
|
900526 |
+ Certificate Evaluator may use to report observation of a possible
|
|
|
900526 |
+ policy violation. The Incident Object Description Exchange Format
|
|
|
900526 |
+ (IODEF) format is used [RFC5070].
|
|
|
900526 |
+
|
|
|
900526 |
+ The following example is a DNS zone file (see [RFC1035]) that informs
|
|
|
900526 |
+ CAs that certificates are not to be issued except by the holder of
|
|
|
900526 |
+ the domain name 'ca.example.net' or an authorized agent thereof.
|
|
|
900526 |
+ This policy applies to all subordinate domains under example.com.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 5]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ $ORIGIN example.com
|
|
|
900526 |
+ . CAA 0 issue "ca.example.net"
|
|
|
900526 |
+
|
|
|
900526 |
+ If the domain name holder specifies one or more iodef properties, a
|
|
|
900526 |
+ certificate issuer MAY report invalid certificate requests to that
|
|
|
900526 |
+ address. In the following example, the domain name holder specifies
|
|
|
900526 |
+ that reports may be made by means of email with the IODEF data as an
|
|
|
900526 |
+ attachment, a Web service [RFC6546], or both:
|
|
|
900526 |
+
|
|
|
900526 |
+ $ORIGIN example.com
|
|
|
900526 |
+ . CAA 0 issue "ca.example.net"
|
|
|
900526 |
+ . CAA 0 iodef "mailto:security@example.com"
|
|
|
900526 |
+ . CAA 0 iodef "http://iodef.example.com/"
|
|
|
900526 |
+
|
|
|
900526 |
+ A certificate issuer MAY specify additional parameters that allow
|
|
|
900526 |
+ customers to specify additional parameters governing certificate
|
|
|
900526 |
+ issuance. This might be the Certificate Policy under which the
|
|
|
900526 |
+ certificate is to be issued, the authentication process to be used
|
|
|
900526 |
+ might be specified, or an account number specified by the CA to
|
|
|
900526 |
+ enable these parameters to be retrieved.
|
|
|
900526 |
+
|
|
|
900526 |
+ For example, the CA 'ca.example.net' has requested its customer
|
|
|
900526 |
+ 'example.com' to specify the CA's account number '230123' in each of
|
|
|
900526 |
+ the customer's CAA records.
|
|
|
900526 |
+
|
|
|
900526 |
+ $ORIGIN example.com
|
|
|
900526 |
+ . CAA 0 issue "ca.example.net; account=230123"
|
|
|
900526 |
+
|
|
|
900526 |
+ The syntax of additional parameters is a sequence of name-value pairs
|
|
|
900526 |
+ as defined in Section 5.2. The semantics of such parameters is left
|
|
|
900526 |
+ to site policy and is outside the scope of this document.
|
|
|
900526 |
+
|
|
|
900526 |
+ The critical flag is intended to permit future versions CAA to
|
|
|
900526 |
+ introduce new semantics that MUST be understood for correct
|
|
|
900526 |
+ processing of the record, preventing conforming CAs that do not
|
|
|
900526 |
+ recognize the new semantics from issuing certificates for the
|
|
|
900526 |
+ indicated domains.
|
|
|
900526 |
+
|
|
|
900526 |
+ In the following example, the property 'tbs' is flagged as critical.
|
|
|
900526 |
+ Neither the example.net CA nor any other issuer is authorized to
|
|
|
900526 |
+ issue under either policy unless the processing rules for the 'tbs'
|
|
|
900526 |
+ property tag are understood.
|
|
|
900526 |
+
|
|
|
900526 |
+ $ORIGIN example.com
|
|
|
900526 |
+ . CAA 0 issue "ca.example.net; policy=ev"
|
|
|
900526 |
+ . CAA 128 tbs "Unknown"
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 6]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Note that the above restrictions only apply at certificate issue.
|
|
|
900526 |
+ Since the validity of an end entity certificate is typically a year
|
|
|
900526 |
+ or more, it is quite possible that the CAA records published at a
|
|
|
900526 |
+ domain will change between the time a certificate was issued and
|
|
|
900526 |
+ validation by a relying party.
|
|
|
900526 |
+
|
|
|
900526 |
+4. Certification Authority Processing
|
|
|
900526 |
+
|
|
|
900526 |
+ Before issuing a certificate, a compliant CA MUST check for
|
|
|
900526 |
+ publication of a relevant CAA Resource Record set. If such a record
|
|
|
900526 |
+ set exists, a CA MUST NOT issue a certificate unless the CA
|
|
|
900526 |
+ determines that either (1) the certificate request is consistent with
|
|
|
900526 |
+ the applicable CAA Resource Record set or (2) an exception specified
|
|
|
900526 |
+ in the relevant Certificate Policy or Certification Practices
|
|
|
900526 |
+ Statement applies.
|
|
|
900526 |
+
|
|
|
900526 |
+ A certificate request MAY specify more than one domain name and MAY
|
|
|
900526 |
+ specify wildcard domains. Issuers MUST verify authorization for all
|
|
|
900526 |
+ the domains and wildcard domains specified in the request.
|
|
|
900526 |
+
|
|
|
900526 |
+ The search for a CAA record climbs the DNS name tree from the
|
|
|
900526 |
+ specified label up to but not including the DNS root '.'.
|
|
|
900526 |
+
|
|
|
900526 |
+ Given a request for a specific domain X, or a request for a wildcard
|
|
|
900526 |
+ domain *.X, the relevant record set R(X) is determined as follows:
|
|
|
900526 |
+
|
|
|
900526 |
+ Let CAA(X) be the record set returned in response to performing a CAA
|
|
|
900526 |
+ record query on the label X, P(X) be the DNS label immediately above
|
|
|
900526 |
+ X in the DNS hierarchy, and A(X) be the target of a CNAME or DNAME
|
|
|
900526 |
+ alias record specified at the label X.
|
|
|
900526 |
+
|
|
|
900526 |
+ o If CAA(X) is not empty, R(X) = CAA (X), otherwise
|
|
|
900526 |
+
|
|
|
900526 |
+ o If A(X) is not null, and R(A(X)) is not empty, then R(X) =
|
|
|
900526 |
+ R(A(X)), otherwise
|
|
|
900526 |
+
|
|
|
900526 |
+ o If X is not a top-level domain, then R(X) = R(P(X)), otherwise
|
|
|
900526 |
+
|
|
|
900526 |
+ o R(X) is empty.
|
|
|
900526 |
+
|
|
|
900526 |
+ For example, if a certificate is requested for X.Y.Z the issuer will
|
|
|
900526 |
+ search for the relevant CAA record set in the following order:
|
|
|
900526 |
+
|
|
|
900526 |
+ X.Y.Z
|
|
|
900526 |
+
|
|
|
900526 |
+ Alias (X.Y.Z)
|
|
|
900526 |
+
|
|
|
900526 |
+ Y.Z
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 7]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Alias (Y.Z)
|
|
|
900526 |
+
|
|
|
900526 |
+ Z
|
|
|
900526 |
+
|
|
|
900526 |
+ Alias (Z)
|
|
|
900526 |
+
|
|
|
900526 |
+ Return Empty
|
|
|
900526 |
+
|
|
|
900526 |
+4.1. Use of DNS Security
|
|
|
900526 |
+
|
|
|
900526 |
+ Use of DNSSEC to authenticate CAA RRs is strongly RECOMMENDED but not
|
|
|
900526 |
+ required. An issuer MUST NOT issue certificates if doing so would
|
|
|
900526 |
+ conflict with the relevant CAA Resource Record set, irrespective of
|
|
|
900526 |
+ whether the corresponding DNS records are signed.
|
|
|
900526 |
+
|
|
|
900526 |
+ DNSSEC provides a proof of non-existence for both DNS domains and RR
|
|
|
900526 |
+ set within domains. DNSSEC verification thus enables an issuer to
|
|
|
900526 |
+ determine if the answer to a CAA record query is empty because the RR
|
|
|
900526 |
+ set is empty or if it is non-empty but the response has been
|
|
|
900526 |
+ suppressed.
|
|
|
900526 |
+
|
|
|
900526 |
+ Use of DNSSEC allows an issuer to acquire and archive a proof that
|
|
|
900526 |
+ they were authorized to issue certificates for the domain.
|
|
|
900526 |
+ Verification of such archives MAY be an audit requirement to verify
|
|
|
900526 |
+ CAA record processing compliance. Publication of such archives MAY
|
|
|
900526 |
+ be a transparency requirement to verify CAA record processing
|
|
|
900526 |
+ compliance.
|
|
|
900526 |
+
|
|
|
900526 |
+5. Mechanism
|
|
|
900526 |
+
|
|
|
900526 |
+5.1. Syntax
|
|
|
900526 |
+
|
|
|
900526 |
+ A CAA RR contains a single property entry consisting of a tag-value
|
|
|
900526 |
+ pair. Each tag represents a property of the CAA record. The value
|
|
|
900526 |
+ of a CAA property is that specified in the corresponding value field.
|
|
|
900526 |
+
|
|
|
900526 |
+ A domain name MAY have multiple CAA RRs associated with it and a
|
|
|
900526 |
+ given property MAY be specified more than once.
|
|
|
900526 |
+
|
|
|
900526 |
+ The CAA data field contains one property entry. A property entry
|
|
|
900526 |
+ consists of the following data fields:
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 8]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ +0-1-2-3-4-5-6-7-|0-1-2-3-4-5-6-7-|
|
|
|
900526 |
+ | Flags | Tag Length = n |
|
|
|
900526 |
+ +----------------+----------------+...+---------------+
|
|
|
900526 |
+ | Tag char 0 | Tag char 1 |...| Tag char n-1 |
|
|
|
900526 |
+ +----------------+----------------+...+---------------+
|
|
|
900526 |
+ +----------------+----------------+.....+----------------+
|
|
|
900526 |
+ | Value byte 0 | Value byte 1 |.....| Value byte m-1 |
|
|
|
900526 |
+ +----------------+----------------+.....+----------------+
|
|
|
900526 |
+
|
|
|
900526 |
+ Where n is the length specified in the Tag length field and m is the
|
|
|
900526 |
+ remaining octets in the Value field (m = d - n - 2) where d is the
|
|
|
900526 |
+ length of the RDATA section.
|
|
|
900526 |
+
|
|
|
900526 |
+ The data fields are defined as follows:
|
|
|
900526 |
+
|
|
|
900526 |
+ Flags: One octet containing the following fields:
|
|
|
900526 |
+
|
|
|
900526 |
+ Bit 0, Issuer Critical Flag: If the value is set to '1', the
|
|
|
900526 |
+ critical flag is asserted and the property MUST be understood
|
|
|
900526 |
+ if the CAA record is to be correctly processed by a certificate
|
|
|
900526 |
+ issuer.
|
|
|
900526 |
+
|
|
|
900526 |
+ A Certification Authority MUST NOT issue certificates for any
|
|
|
900526 |
+ Domain that contains a CAA critical property for an unknown or
|
|
|
900526 |
+ unsupported property tag that for which the issuer critical
|
|
|
900526 |
+ flag is set.
|
|
|
900526 |
+
|
|
|
900526 |
+ Note that according to the conventions set out in [RFC1035], bit 0
|
|
|
900526 |
+ is the Most Significant Bit and bit 7 is the Least Significant
|
|
|
900526 |
+ Bit. Thus, the Flags value 1 means that bit 7 is set while a value
|
|
|
900526 |
+ of 128 means that bit 0 is set according to this convention.
|
|
|
900526 |
+
|
|
|
900526 |
+ All other bit positions are reserved for future use.
|
|
|
900526 |
+
|
|
|
900526 |
+ To ensure compatibility with future extensions to CAA, DNS records
|
|
|
900526 |
+ compliant with this version of the CAA specification MUST clear
|
|
|
900526 |
+ (set to "0") all reserved flags bits. Applications that interpret
|
|
|
900526 |
+ CAA records MUST ignore the value of all reserved flag bits.
|
|
|
900526 |
+
|
|
|
900526 |
+ Tag Length: A single octet containing an unsigned integer specifying
|
|
|
900526 |
+ the tag length in octets. The tag length MUST be at least 1 and
|
|
|
900526 |
+ SHOULD be no more than 15.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 9]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Tag: The property identifier, a sequence of US-ASCII characters.
|
|
|
900526 |
+
|
|
|
900526 |
+ Tag values MAY contain US-ASCII characters 'a' through 'z', 'A'
|
|
|
900526 |
+ through 'Z', and the numbers 0 through 9. Tag values SHOULD NOT
|
|
|
900526 |
+ contain any other characters. Matching of tag values is case
|
|
|
900526 |
+ insensitive.
|
|
|
900526 |
+
|
|
|
900526 |
+ Tag values submitted for registration by IANA MUST NOT contain any
|
|
|
900526 |
+ characters other than the (lowercase) US-ASCII characters 'a'
|
|
|
900526 |
+ through 'z' and the numbers 0 through 9.
|
|
|
900526 |
+
|
|
|
900526 |
+ Value: A sequence of octets representing the property value.
|
|
|
900526 |
+ Property values are encoded as binary values and MAY employ sub-
|
|
|
900526 |
+ formats.
|
|
|
900526 |
+
|
|
|
900526 |
+ The length of the value field is specified implicitly as the
|
|
|
900526 |
+ remaining length of the enclosing Resource Record data field.
|
|
|
900526 |
+
|
|
|
900526 |
+5.1.1. Canonical Presentation Format
|
|
|
900526 |
+
|
|
|
900526 |
+ The canonical presentation format of the CAA record is:
|
|
|
900526 |
+
|
|
|
900526 |
+ CAA <flags> <tag> <value>
|
|
|
900526 |
+
|
|
|
900526 |
+ Where:
|
|
|
900526 |
+
|
|
|
900526 |
+ Flags: Is an unsigned integer between 0 and 255.
|
|
|
900526 |
+
|
|
|
900526 |
+ Tag: Is a non-zero sequence of US-ASCII letters and numbers in lower
|
|
|
900526 |
+ case.
|
|
|
900526 |
+
|
|
|
900526 |
+ Value: Is the <character-string> encoding of the value field as
|
|
|
900526 |
+ specified in [RFC1035], Section 5.1.
|
|
|
900526 |
+
|
|
|
900526 |
+5.2. CAA issue Property
|
|
|
900526 |
+
|
|
|
900526 |
+ The issue property tag is used to request that certificate issuers
|
|
|
900526 |
+ perform CAA issue restriction processing for the domain and to grant
|
|
|
900526 |
+ authorization to specific certificate issuers.
|
|
|
900526 |
+
|
|
|
900526 |
+ The CAA issue property value has the following sub-syntax (specified
|
|
|
900526 |
+ in ABNF as per [RFC5234]).
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 10]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ issuevalue = space [domain] space [";" *(space parameter) space]
|
|
|
900526 |
+
|
|
|
900526 |
+ domain = label *("." label)
|
|
|
900526 |
+ label = (ALPHA / DIGIT) *( *("-") (ALPHA / DIGIT))
|
|
|
900526 |
+
|
|
|
900526 |
+ space = *(SP / HTAB)
|
|
|
900526 |
+
|
|
|
900526 |
+ parameter = tag "=" value
|
|
|
900526 |
+
|
|
|
900526 |
+ tag = 1*(ALPHA / DIGIT)
|
|
|
900526 |
+
|
|
|
900526 |
+ value = *VCHAR
|
|
|
900526 |
+
|
|
|
900526 |
+ For consistency with other aspects of DNS administration, domain name
|
|
|
900526 |
+ values are specified in letter-digit-hyphen Label (LDH-Label) form.
|
|
|
900526 |
+
|
|
|
900526 |
+ A CAA record with an issue parameter tag that does not specify a
|
|
|
900526 |
+ domain name is a request that certificate issuers perform CAA issue
|
|
|
900526 |
+ restriction processing for the corresponding domain without granting
|
|
|
900526 |
+ authorization to any certificate issuer.
|
|
|
900526 |
+
|
|
|
900526 |
+ This form of issue restriction would be appropriate to specify that
|
|
|
900526 |
+ no certificates are to be issued for the domain in question.
|
|
|
900526 |
+
|
|
|
900526 |
+ For example, the following CAA record set requests that no
|
|
|
900526 |
+ certificates be issued for the domain 'nocerts.example.com' by any
|
|
|
900526 |
+ certificate issuer.
|
|
|
900526 |
+
|
|
|
900526 |
+ nocerts.example.com CAA 0 issue ";"
|
|
|
900526 |
+
|
|
|
900526 |
+ A CAA record with an issue parameter tag that specifies a domain name
|
|
|
900526 |
+ is a request that certificate issuers perform CAA issue restriction
|
|
|
900526 |
+ processing for the corresponding domain and grants authorization to
|
|
|
900526 |
+ the certificate issuer specified by the domain name.
|
|
|
900526 |
+
|
|
|
900526 |
+ For example, the following CAA record set requests that no
|
|
|
900526 |
+ certificates be issued for the domain 'certs.example.com' by any
|
|
|
900526 |
+ certificate issuer other than the example.net certificate issuer.
|
|
|
900526 |
+
|
|
|
900526 |
+ certs.example.com CAA 0 issue "example.net"
|
|
|
900526 |
+
|
|
|
900526 |
+ CAA authorizations are additive; thus, the result of specifying both
|
|
|
900526 |
+ the empty issuer and a specified issuer is the same as specifying
|
|
|
900526 |
+ just the specified issuer alone.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 11]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ An issuer MAY choose to specify issuer-parameters that further
|
|
|
900526 |
+ constrain the issue of certificates by that issuer, for example,
|
|
|
900526 |
+ specifying that certificates are to be subject to specific validation
|
|
|
900526 |
+ polices, billed to certain accounts, or issued under specific trust
|
|
|
900526 |
+ anchors.
|
|
|
900526 |
+
|
|
|
900526 |
+ The semantics of issuer-parameters are determined by the issuer
|
|
|
900526 |
+ alone.
|
|
|
900526 |
+
|
|
|
900526 |
+5.3. CAA issuewild Property
|
|
|
900526 |
+
|
|
|
900526 |
+ The issuewild property has the same syntax and semantics as the issue
|
|
|
900526 |
+ property except that issuewild properties only grant authorization to
|
|
|
900526 |
+ issue certificates that specify a wildcard domain and issuewild
|
|
|
900526 |
+ properties take precedence over issue properties when specified.
|
|
|
900526 |
+ Specifically:
|
|
|
900526 |
+
|
|
|
900526 |
+ issuewild properties MUST be ignored when processing a request for
|
|
|
900526 |
+ a domain that is not a wildcard domain.
|
|
|
900526 |
+
|
|
|
900526 |
+ If at least one issuewild property is specified in the relevant
|
|
|
900526 |
+ CAA record set, all issue properties MUST be ignored when
|
|
|
900526 |
+ processing a request for a domain that is a wildcard domain.
|
|
|
900526 |
+
|
|
|
900526 |
+5.4. CAA iodef Property
|
|
|
900526 |
+
|
|
|
900526 |
+ The iodef property specifies a means of reporting certificate issue
|
|
|
900526 |
+ requests or cases of certificate issue for the corresponding domain
|
|
|
900526 |
+ that violate the security policy of the issuer or the domain name
|
|
|
900526 |
+ holder.
|
|
|
900526 |
+
|
|
|
900526 |
+ The Incident Object Description Exchange Format (IODEF) [RFC5070] is
|
|
|
900526 |
+ used to present the incident report in machine-readable form.
|
|
|
900526 |
+
|
|
|
900526 |
+ The iodef property takes a URL as its parameter. The URL scheme type
|
|
|
900526 |
+ determines the method used for reporting:
|
|
|
900526 |
+
|
|
|
900526 |
+ mailto: The IODEF incident report is reported as a MIME email
|
|
|
900526 |
+ attachment to an SMTP email that is submitted to the mail address
|
|
|
900526 |
+ specified. The mail message sent SHOULD contain a brief text
|
|
|
900526 |
+ message to alert the recipient to the nature of the attachment.
|
|
|
900526 |
+
|
|
|
900526 |
+ http or https: The IODEF report is submitted as a Web service
|
|
|
900526 |
+ request to the HTTP address specified using the protocol specified
|
|
|
900526 |
+ in [RFC6546].
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 12]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+6. Security Considerations
|
|
|
900526 |
+
|
|
|
900526 |
+ CAA records assert a security policy that the holder of a domain name
|
|
|
900526 |
+ wishes to be observed by certificate issuers. The effectiveness of
|
|
|
900526 |
+ CAA records as an access control mechanism is thus dependent on
|
|
|
900526 |
+ observance of CAA constraints by issuers.
|
|
|
900526 |
+
|
|
|
900526 |
+ The objective of the CAA record properties described in this document
|
|
|
900526 |
+ is to reduce the risk of certificate mis-issue rather than avoid
|
|
|
900526 |
+ reliance on a certificate that has been mis-issued. DANE [RFC6698]
|
|
|
900526 |
+ describes a mechanism for avoiding reliance on mis-issued
|
|
|
900526 |
+ certificates.
|
|
|
900526 |
+
|
|
|
900526 |
+6.1. Non-Compliance by Certification Authority
|
|
|
900526 |
+
|
|
|
900526 |
+ CAA records offer CAs a cost-effective means of mitigating the risk
|
|
|
900526 |
+ of certificate mis-issue: the cost of implementing CAA checks is very
|
|
|
900526 |
+ small and the potential costs of a mis-issue event include the
|
|
|
900526 |
+ removal of an embedded trust anchor.
|
|
|
900526 |
+
|
|
|
900526 |
+6.2. Mis-Issue by Authorized Certification Authority
|
|
|
900526 |
+
|
|
|
900526 |
+ Use of CAA records does not prevent mis-issue by an authorized
|
|
|
900526 |
+ Certification Authority, i.e., a CA that is authorized to issue
|
|
|
900526 |
+ certificates for the domain in question by CAA records.
|
|
|
900526 |
+
|
|
|
900526 |
+ Domain name holders SHOULD verify that the CAs they authorize to
|
|
|
900526 |
+ issue certificates for their domains employ appropriate controls to
|
|
|
900526 |
+ ensure that certificates are issued only to authorized parties within
|
|
|
900526 |
+ their organization.
|
|
|
900526 |
+
|
|
|
900526 |
+ Such controls are most appropriately determined by the domain name
|
|
|
900526 |
+ holder and the authorized CA(s) directly and are thus out of scope of
|
|
|
900526 |
+ this document.
|
|
|
900526 |
+
|
|
|
900526 |
+6.3. Suppression or Spoofing of CAA Records
|
|
|
900526 |
+
|
|
|
900526 |
+ Suppression of the CAA record or insertion of a bogus CAA record
|
|
|
900526 |
+ could enable an attacker to obtain a certificate from an issuer that
|
|
|
900526 |
+ was not authorized to issue for that domain name.
|
|
|
900526 |
+
|
|
|
900526 |
+ Where possible, issuers SHOULD perform DNSSEC validation to detect
|
|
|
900526 |
+ missing or modified CAA record sets.
|
|
|
900526 |
+
|
|
|
900526 |
+ In cases where DNSSEC is not deployed in a corresponding domain, an
|
|
|
900526 |
+ issuer SHOULD attempt to mitigate this risk by employing appropriate
|
|
|
900526 |
+ DNS security controls. For example, all portions of the DNS lookup
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 13]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ process SHOULD be performed against the authoritative name server.
|
|
|
900526 |
+ Data cached by third parties MUST NOT be relied on but MAY be used to
|
|
|
900526 |
+ support additional anti-spoofing or anti-suppression controls.
|
|
|
900526 |
+
|
|
|
900526 |
+6.4. Denial of Service
|
|
|
900526 |
+
|
|
|
900526 |
+ Introduction of a malformed or malicious CAA RR could in theory
|
|
|
900526 |
+ enable a Denial-of-Service (DoS) attack.
|
|
|
900526 |
+
|
|
|
900526 |
+ This specific threat is not considered to add significantly to the
|
|
|
900526 |
+ risk of running an insecure DNS service.
|
|
|
900526 |
+
|
|
|
900526 |
+ An attacker could, in principle, perform a DoS attack against an
|
|
|
900526 |
+ issuer by requesting a certificate with a maliciously long DNS name.
|
|
|
900526 |
+ In practice, the DNS protocol imposes a maximum name length and CAA
|
|
|
900526 |
+ processing does not exacerbate the existing need to mitigate DoS
|
|
|
900526 |
+ attacks to any meaningful degree.
|
|
|
900526 |
+
|
|
|
900526 |
+6.5. Abuse of the Critical Flag
|
|
|
900526 |
+
|
|
|
900526 |
+ A Certification Authority could make use of the critical flag to
|
|
|
900526 |
+ trick customers into publishing records that prevent competing
|
|
|
900526 |
+ Certification Authorities from issuing certificates even though the
|
|
|
900526 |
+ customer intends to authorize multiple providers.
|
|
|
900526 |
+
|
|
|
900526 |
+ In practice, such an attack would be of minimal effect since any
|
|
|
900526 |
+ competent competitor that found itself unable to issue certificates
|
|
|
900526 |
+ due to lack of support for a property marked critical SHOULD
|
|
|
900526 |
+ investigate the cause and report the reason to the customer. The
|
|
|
900526 |
+ customer will thus discover that they had been deceived.
|
|
|
900526 |
+
|
|
|
900526 |
+7. IANA Considerations
|
|
|
900526 |
+
|
|
|
900526 |
+7.1. Registration of the CAA Resource Record Type
|
|
|
900526 |
+
|
|
|
900526 |
+ IANA has assigned Resource Record Type 257 for the CAA Resource
|
|
|
900526 |
+ Record Type and added the line depicted below to the registry named
|
|
|
900526 |
+ "Resource Record (RR) TYPEs" and QTYPEs as defined in BCP 42
|
|
|
900526 |
+ [RFC6195] and located at
|
|
|
900526 |
+ http://www.iana.org/assignments/dns-parameters.
|
|
|
900526 |
+
|
|
|
900526 |
+ RR Name Value and meaning Reference
|
|
|
900526 |
+ ----------- --------------------------------------------- ---------
|
|
|
900526 |
+ CAA 257 Certification Authority Restriction [RFC6844]
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 14]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+7.2. Certification Authority Restriction Properties
|
|
|
900526 |
+
|
|
|
900526 |
+ IANA has created the "Certification Authority Restriction Properties"
|
|
|
900526 |
+ registry with the following initial values:
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Tag Meaning Reference
|
|
|
900526 |
+ ----------- -------------------------------------- ---------
|
|
|
900526 |
+ issue Authorization Entry by Domain [RFC6844]
|
|
|
900526 |
+ issuewild Authorization Entry by Wildcard Domain [RFC6844]
|
|
|
900526 |
+ iodef Report incident by IODEF report [RFC6844]
|
|
|
900526 |
+ auth Reserved [HB2011]
|
|
|
900526 |
+ path Reserved [HB2011]
|
|
|
900526 |
+ policy Reserved [HB2011]
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Although [HB2011] has expired, deployed clients implement the CAA
|
|
|
900526 |
+ properties specified in the document and reuse of these property tags
|
|
|
900526 |
+ for a different purpose could cause unexpected behavior.
|
|
|
900526 |
+
|
|
|
900526 |
+ Addition of tag identifiers requires a public specification and
|
|
|
900526 |
+ Expert Review as set out in [RFC6195], Section 3.1.1.
|
|
|
900526 |
+
|
|
|
900526 |
+ The tag space is designed to be sufficiently large that exhausting
|
|
|
900526 |
+ the possible tag space need not be a concern. The scope of Expert
|
|
|
900526 |
+ Review SHOULD be limited to the question of whether the specification
|
|
|
900526 |
+ provided is sufficiently clear to permit implementation and to avoid
|
|
|
900526 |
+ unnecessary duplication of functionality.
|
|
|
900526 |
+
|
|
|
900526 |
+7.3. Certification Authority Restriction Flags
|
|
|
900526 |
+
|
|
|
900526 |
+ IANA has created the "Certification Authority Restriction Flags"
|
|
|
900526 |
+ registry with the following initial values:
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Flag Meaning Reference
|
|
|
900526 |
+ ----------- ---------------------------------- ---------
|
|
|
900526 |
+ 0 Issuer Critical Flag [RFC6844]
|
|
|
900526 |
+ 1-7 Reserved> [RFC6844]
|
|
|
900526 |
+
|
|
|
900526 |
+ Assignment of new flags follows the RFC Required policy set out in
|
|
|
900526 |
+ [RFC5226], Section 4.1.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 15]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+8. Acknowledgements
|
|
|
900526 |
+
|
|
|
900526 |
+ The authors would like to thank the following people who contributed
|
|
|
900526 |
+ to the design and documentation of this work item: Chris Evans,
|
|
|
900526 |
+ Stephen Farrell, Jeff Hodges, Paul Hoffman, Stephen Kent, Adam
|
|
|
900526 |
+ Langley, Ben Laurie, James Manager, Chris Palmer, Scott Schmit, Sean
|
|
|
900526 |
+ Turner, and Ben Wilson.
|
|
|
900526 |
+
|
|
|
900526 |
+9. References
|
|
|
900526 |
+
|
|
|
900526 |
+9.1. Normative References
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC1035] Mockapetris, P., "Domain names - implementation and
|
|
|
900526 |
+ specification", STD 13, RFC 1035, November 1987.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
|
|
900526 |
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
|
|
|
900526 |
+ Specification", RFC 2181, July 1997.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
|
|
900526 |
+ Rose, "DNS Security Introduction and Requirements",
|
|
|
900526 |
+ RFC 4033, March 2005.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
|
|
900526 |
+ Rose, "Resource Records for the DNS Security Extensions",
|
|
|
900526 |
+ RFC 4034, March 2005.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
|
|
|
900526 |
+ Rose, "Protocol Modifications for the DNS Security
|
|
|
900526 |
+ Extensions", RFC 4035, March 2005.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC5070] Danyliw, R., Meijer, J., and Y. Demchenko, "The Incident
|
|
|
900526 |
+ Object Description Exchange Format", RFC 5070,
|
|
|
900526 |
+ December 2007.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC5155] Laurie, B., Sisson, G., Arends, R., and D. Blacka, "DNS
|
|
|
900526 |
+ Security (DNSSEC) Hashed Authenticated Denial of
|
|
|
900526 |
+ Existence", RFC 5155, March 2008.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
|
|
|
900526 |
+ IANA Considerations Section in RFCs", BCP 26, RFC 5226,
|
|
|
900526 |
+ May 2008.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
|
|
|
900526 |
+ Specifications: ABNF", STD 68, RFC 5234, January 2008.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 16]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
|
|
|
900526 |
+ Housley, R., and W. Polk, "Internet X.509 Public Key
|
|
|
900526 |
+ Infrastructure Certificate and Certificate Revocation List
|
|
|
900526 |
+ (CRL) Profile", RFC 5280, May 2008.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC6195] Eastlake, D., "Domain Name System (DNS) IANA
|
|
|
900526 |
+ Considerations", BCP 42, RFC 6195, March 2011.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC6546] Trammell, B., "Transport of Real-time Inter-network
|
|
|
900526 |
+ Defense (RID) Messages over HTTP/TLS", RFC 6546,
|
|
|
900526 |
+ April 2012.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
|
|
|
900526 |
+ of Named Entities (DANE) Transport Layer Security (TLS)
|
|
|
900526 |
+ Protocol: TLSA", RFC 6698, August 2012.
|
|
|
900526 |
+
|
|
|
900526 |
+ [STD13] Mockapetris, P., "Domain names - concepts and facilities",
|
|
|
900526 |
+ STD 13, RFC 1034, November 1987.
|
|
|
900526 |
+
|
|
|
900526 |
+ Mockapetris, P., "Domain names - implementation and
|
|
|
900526 |
+ specification", STD 13, RFC 1035, November 1987.
|
|
|
900526 |
+
|
|
|
900526 |
+ [X.509] International Telecommunication Union, "ITU-T
|
|
|
900526 |
+ Recommendation X.509 (11/2008): Information technology -
|
|
|
900526 |
+ Open systems interconnection - The Directory: Public-key
|
|
|
900526 |
+ and attribute certificate frameworks", ITU-T
|
|
|
900526 |
+ Recommendation X.509, November 2008.
|
|
|
900526 |
+
|
|
|
900526 |
+9.2. Informative References
|
|
|
900526 |
+
|
|
|
900526 |
+ [HB2011] Hallam-Baker, P., Stradling, R., and B. Laurie, "DNS
|
|
|
900526 |
+ Certification Authority Authorization (CAA) Resource
|
|
|
900526 |
+ Record", Work in Progress, May 2011.
|
|
|
900526 |
+
|
|
|
900526 |
+ [RFC3647] Chokhani, S., Ford, W., Sabett, R., Merrill, C., and S.
|
|
|
900526 |
+ Wu, "Internet X.509 Public Key Infrastructure Certificate
|
|
|
900526 |
+ Policy and Certification Practices Framework", RFC 3647,
|
|
|
900526 |
+ November 2003.
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 17]
|
|
|
900526 |
+
|
|
|
900526 |
+RFC 6844 Certification Authority Authorization January 2013
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Authors' Addresses
|
|
|
900526 |
+
|
|
|
900526 |
+ Phillip Hallam-Baker
|
|
|
900526 |
+ Comodo Group, Inc.
|
|
|
900526 |
+
|
|
|
900526 |
+ EMail: philliph@comodo.com
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+ Rob Stradling
|
|
|
900526 |
+ Comodo CA, Ltd.
|
|
|
900526 |
+
|
|
|
900526 |
+ EMail: rob.stradling@comodo.com
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+
|
|
|
900526 |
+Hallam-Baker & Stradling Standards Track [Page 18]
|
|
|
900526 |
+
|
|
|
900526 |
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
|
|
|
900526 |
index a83dab4..9bf83a4 100644
|
|
|
900526 |
--- a/lib/dns/rdata.c
|
|
|
900526 |
+++ b/lib/dns/rdata.c
|
|
|
900526 |
@@ -116,7 +116,7 @@ typedef struct dns_rdata_textctx {
|
|
|
900526 |
} dns_rdata_textctx_t;
|
|
|
900526 |
|
|
|
900526 |
static isc_result_t
|
|
|
900526 |
-txt_totext(isc_region_t *source, isc_buffer_t *target);
|
|
|
900526 |
+txt_totext(isc_region_t *source, isc_boolean_t quote, isc_buffer_t *target);
|
|
|
900526 |
|
|
|
900526 |
static isc_result_t
|
|
|
900526 |
txt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
|
|
|
900526 |
@@ -130,9 +130,6 @@ multitxt_totext(isc_region_t *source, isc_buffer_t *target);
|
|
|
900526 |
static isc_result_t
|
|
|
900526 |
multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target);
|
|
|
900526 |
|
|
|
900526 |
-static isc_result_t
|
|
|
900526 |
-multitxt_fromwire(isc_buffer_t *source, isc_buffer_t *target);
|
|
|
900526 |
-
|
|
|
900526 |
static isc_boolean_t
|
|
|
900526 |
name_prefix(dns_name_t *name, dns_name_t *origin, dns_name_t *target);
|
|
|
900526 |
|
|
|
900526 |
@@ -1131,7 +1128,7 @@ name_length(dns_name_t *name) {
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static isc_result_t
|
|
|
900526 |
-txt_totext(isc_region_t *source, isc_buffer_t *target) {
|
|
|
900526 |
+txt_totext(isc_region_t *source, isc_boolean_t quote, isc_buffer_t *target) {
|
|
|
900526 |
unsigned int tl;
|
|
|
900526 |
unsigned int n;
|
|
|
900526 |
unsigned char *sp;
|
|
|
900526 |
@@ -1146,13 +1143,20 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
|
|
|
900526 |
n = *sp++;
|
|
|
900526 |
|
|
|
900526 |
REQUIRE(n + 1 <= source->length);
|
|
|
900526 |
+ if (n == 0U)
|
|
|
900526 |
+ REQUIRE(quote == ISC_TRUE);
|
|
|
900526 |
|
|
|
900526 |
- if (tl < 1)
|
|
|
900526 |
- return (ISC_R_NOSPACE);
|
|
|
900526 |
- *tp++ = '"';
|
|
|
900526 |
- tl--;
|
|
|
900526 |
+ if (quote) {
|
|
|
900526 |
+ if (tl < 1)
|
|
|
900526 |
+ return (ISC_R_NOSPACE);
|
|
|
900526 |
+ *tp++ = '"';
|
|
|
900526 |
+ tl--;
|
|
|
900526 |
+ }
|
|
|
900526 |
while (n--) {
|
|
|
900526 |
- if (*sp < 0x20 || *sp >= 0x7f) {
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * \DDD space (0x20) if not quoting.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (*sp < (quote ? 0x20 : 0x21) || *sp >= 0x7f) {
|
|
|
900526 |
if (tl < 4)
|
|
|
900526 |
return (ISC_R_NOSPACE);
|
|
|
900526 |
*tp++ = 0x5c;
|
|
|
900526 |
@@ -1163,8 +1167,13 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
|
|
|
900526 |
tl -= 4;
|
|
|
900526 |
continue;
|
|
|
900526 |
}
|
|
|
900526 |
- /* double quote, semi-colon, backslash */
|
|
|
900526 |
- if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Escape double quote, semi-colon, backslash.
|
|
|
900526 |
+ * If we are not enclosing the string in double
|
|
|
900526 |
+ * quotes also escape at sign.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c ||
|
|
|
900526 |
+ (!quote && *sp == 0x40)) {
|
|
|
900526 |
if (tl < 2)
|
|
|
900526 |
return (ISC_R_NOSPACE);
|
|
|
900526 |
*tp++ = '\\';
|
|
|
900526 |
@@ -1175,10 +1184,12 @@ txt_totext(isc_region_t *source, isc_buffer_t *target) {
|
|
|
900526 |
*tp++ = *sp++;
|
|
|
900526 |
tl--;
|
|
|
900526 |
}
|
|
|
900526 |
- if (tl < 1)
|
|
|
900526 |
- return (ISC_R_NOSPACE);
|
|
|
900526 |
- *tp++ = '"';
|
|
|
900526 |
- tl--;
|
|
|
900526 |
+ if (quote) {
|
|
|
900526 |
+ if (tl < 1)
|
|
|
900526 |
+ return (ISC_R_NOSPACE);
|
|
|
900526 |
+ *tp++ = '"';
|
|
|
900526 |
+ tl--;
|
|
|
900526 |
+ }
|
|
|
900526 |
isc_buffer_add(target, tp - (char *)region.base);
|
|
|
900526 |
isc_region_consume(source, *source->base + 1);
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
@@ -1274,6 +1285,9 @@ txt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
+/*
|
|
|
900526 |
+ * Conversion of TXT-like rdata fields without length limits.
|
|
|
900526 |
+ */
|
|
|
900526 |
static isc_result_t
|
|
|
900526 |
multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
|
|
|
900526 |
unsigned int tl;
|
|
|
900526 |
@@ -1292,9 +1306,8 @@ multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
|
|
|
900526 |
*tp++ = '"';
|
|
|
900526 |
tl--;
|
|
|
900526 |
do {
|
|
|
900526 |
- n0 = n = *sp++;
|
|
|
900526 |
-
|
|
|
900526 |
- REQUIRE(n0 + 1 <= source->length);
|
|
|
900526 |
+ n = source->length;
|
|
|
900526 |
+ n0 = source->length - 1;
|
|
|
900526 |
|
|
|
900526 |
while (n--) {
|
|
|
900526 |
if (*sp < 0x20 || *sp >= 0x7f) {
|
|
|
900526 |
@@ -1346,17 +1359,11 @@ multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
|
|
|
900526 |
|
|
|
900526 |
do {
|
|
|
900526 |
isc_buffer_availableregion(target, &tregion);
|
|
|
900526 |
- t0 = tregion.base;
|
|
|
900526 |
+ t0 = t = tregion.base;
|
|
|
900526 |
nrem = tregion.length;
|
|
|
900526 |
if (nrem < 1)
|
|
|
900526 |
return (ISC_R_NOSPACE);
|
|
|
900526 |
- /* length byte */
|
|
|
900526 |
- t = t0;
|
|
|
900526 |
- nrem--;
|
|
|
900526 |
- t++;
|
|
|
900526 |
- /* 255 byte character-string slice */
|
|
|
900526 |
- if (nrem > 255)
|
|
|
900526 |
- nrem = 255;
|
|
|
900526 |
+
|
|
|
900526 |
while (n != 0) {
|
|
|
900526 |
--n;
|
|
|
900526 |
c = (*s++) & 0xff;
|
|
|
900526 |
@@ -1390,39 +1397,9 @@ multitxt_fromtext(isc_textregion_t *source, isc_buffer_t *target) {
|
|
|
900526 |
}
|
|
|
900526 |
if (escape)
|
|
|
900526 |
return (DNS_R_SYNTAX);
|
|
|
900526 |
- *t0 = t - t0 - 1;
|
|
|
900526 |
- isc_buffer_add(target, *t0 + 1);
|
|
|
900526 |
- } while (n != 0);
|
|
|
900526 |
- return (ISC_R_SUCCESS);
|
|
|
900526 |
-}
|
|
|
900526 |
-
|
|
|
900526 |
-static isc_result_t
|
|
|
900526 |
-multitxt_fromwire(isc_buffer_t *source, isc_buffer_t *target) {
|
|
|
900526 |
- unsigned int n;
|
|
|
900526 |
- isc_region_t sregion;
|
|
|
900526 |
- isc_region_t tregion;
|
|
|
900526 |
-
|
|
|
900526 |
- isc_buffer_activeregion(source, &sregion);
|
|
|
900526 |
- if (sregion.length == 0)
|
|
|
900526 |
- return(ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
- n = 256U;
|
|
|
900526 |
- do {
|
|
|
900526 |
- if (n != 256U)
|
|
|
900526 |
- return (DNS_R_SYNTAX);
|
|
|
900526 |
- n = *sregion.base + 1;
|
|
|
900526 |
- if (n > sregion.length)
|
|
|
900526 |
- return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
|
|
|
900526 |
- isc_buffer_availableregion(target, &tregion);
|
|
|
900526 |
- if (n > tregion.length)
|
|
|
900526 |
- return (ISC_R_NOSPACE);
|
|
|
900526 |
-
|
|
|
900526 |
- if (tregion.base != sregion.base)
|
|
|
900526 |
- memcpy(tregion.base, sregion.base, n);
|
|
|
900526 |
- isc_buffer_forward(source, n);
|
|
|
900526 |
- isc_buffer_add(target, n);
|
|
|
900526 |
- isc_buffer_activeregion(source, &sregion);
|
|
|
900526 |
- } while (sregion.length != 0);
|
|
|
900526 |
+ isc_buffer_add(target, t - t0);
|
|
|
900526 |
+ } while (n != 0);
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/caa_257.c b/lib/dns/rdata/generic/caa_257.c
|
|
|
900526 |
new file mode 100644
|
|
|
900526 |
index 0000000..671f332
|
|
|
900526 |
--- /dev/null
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/caa_257.c
|
|
|
900526 |
@@ -0,0 +1,370 @@
|
|
|
900526 |
+/*
|
|
|
900526 |
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
+ *
|
|
|
900526 |
+ * Permission to use, copy, modify, and/or distribute this software for any
|
|
|
900526 |
+ * purpose with or without fee is hereby granted, provided that the above
|
|
|
900526 |
+ * copyright notice and this permission notice appear in all copies.
|
|
|
900526 |
+ *
|
|
|
900526 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
|
900526 |
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
900526 |
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
900526 |
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
900526 |
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
900526 |
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
900526 |
+ * PERFORMANCE OF THIS SOFTWARE.
|
|
|
900526 |
+ */
|
|
|
900526 |
+
|
|
|
900526 |
+#ifndef GENERIC_CAA_257_C
|
|
|
900526 |
+#define GENERIC_CAA_257_C 1
|
|
|
900526 |
+
|
|
|
900526 |
+#define RRTYPE_CAA_ATTRIBUTES (0)
|
|
|
900526 |
+
|
|
|
900526 |
+static unsigned char const alphanumeric[256] = {
|
|
|
900526 |
+ /* 0x00-0x0f */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x10-0x1f */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x20-0x2f */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x30-0x3f */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x40-0x4f */ 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
|
|
900526 |
+ /* 0x50-0x5f */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x60-0x6f */ 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
|
|
|
900526 |
+ /* 0x70-0x7f */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x80-0x8f */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0x90-0x9f */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0xa0-0xaf */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0xb0-0xbf */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0xc0-0xcf */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0xd0-0xdf */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0xe0-0xef */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+ /* 0xf0-0xff */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
|
|
|
900526 |
+};
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+fromtext_caa(ARGS_FROMTEXT) {
|
|
|
900526 |
+ isc_token_t token;
|
|
|
900526 |
+ isc_textregion_t tr;
|
|
|
900526 |
+ isc_uint8_t flags;
|
|
|
900526 |
+ unsigned int i;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(type == 257);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(type);
|
|
|
900526 |
+ UNUSED(rdclass);
|
|
|
900526 |
+ UNUSED(origin);
|
|
|
900526 |
+ UNUSED(options);
|
|
|
900526 |
+ UNUSED(callbacks);
|
|
|
900526 |
+
|
|
|
900526 |
+ /* Flags. */
|
|
|
900526 |
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
|
|
|
900526 |
+ ISC_FALSE));
|
|
|
900526 |
+ if (token.value.as_ulong > 255U)
|
|
|
900526 |
+ RETTOK(ISC_R_RANGE);
|
|
|
900526 |
+ flags = token.value.as_ulong & 255U;
|
|
|
900526 |
+ RETERR(uint8_tobuffer(flags, target));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
|
|
|
900526 |
+ ISC_FALSE));
|
|
|
900526 |
+ tr = token.value.as_textregion;
|
|
|
900526 |
+ for (i = 0; i < tr.length; i++)
|
|
|
900526 |
+ if (!alphanumeric[(unsigned char) tr.base[i]])
|
|
|
900526 |
+ RETTOK(DNS_R_SYNTAX);
|
|
|
900526 |
+ RETERR(uint8_tobuffer(tr.length, target));
|
|
|
900526 |
+ RETERR(mem_tobuffer(target, tr.base, tr.length));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Value
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(isc_lex_getmastertoken(lexer, &token,
|
|
|
900526 |
+ isc_tokentype_qstring, ISC_FALSE));
|
|
|
900526 |
+ if (token.type != isc_tokentype_qstring &&
|
|
|
900526 |
+ token.type != isc_tokentype_string)
|
|
|
900526 |
+ RETERR(DNS_R_SYNTAX);
|
|
|
900526 |
+ RETERR(multitxt_fromtext(&token.value.as_textregion, target));
|
|
|
900526 |
+ return (ISC_R_SUCCESS);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+totext_caa(ARGS_TOTEXT) {
|
|
|
900526 |
+ isc_region_t region;
|
|
|
900526 |
+ isc_uint8_t flags;
|
|
|
900526 |
+ char buf[256];
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(tctx);
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdata->type == 257);
|
|
|
900526 |
+ REQUIRE(rdata->length >= 3U);
|
|
|
900526 |
+ REQUIRE(rdata->data != NULL);
|
|
|
900526 |
+
|
|
|
900526 |
+ dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Flags
|
|
|
900526 |
+ */
|
|
|
900526 |
+ flags = uint8_consume_fromregion(®ion);
|
|
|
900526 |
+ sprintf(buf, "%u ", flags);
|
|
|
900526 |
+ RETERR(str_totext(buf, target));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_FALSE, target));
|
|
|
900526 |
+ RETERR(str_totext(" ", target));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Value
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(multitxt_totext(®ion, target));
|
|
|
900526 |
+ return (ISC_R_SUCCESS);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+fromwire_caa(ARGS_FROMWIRE) {
|
|
|
900526 |
+ isc_region_t sr;
|
|
|
900526 |
+ unsigned int len, i;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(type == 257);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(type);
|
|
|
900526 |
+ UNUSED(rdclass);
|
|
|
900526 |
+ UNUSED(dctx);
|
|
|
900526 |
+ UNUSED(options);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Flags
|
|
|
900526 |
+ */
|
|
|
900526 |
+ isc_buffer_activeregion(source, &sr);
|
|
|
900526 |
+ if (sr.length < 2)
|
|
|
900526 |
+ return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Flags, tag length
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(mem_tobuffer(target, sr.base, 2));
|
|
|
900526 |
+ len = sr.base[1];
|
|
|
900526 |
+ isc_region_consume(&sr, 2);
|
|
|
900526 |
+ isc_buffer_forward(source, 2);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Zero length tag fields are illegal.
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (sr.length < len || len == 0)
|
|
|
900526 |
+ RETERR(DNS_R_FORMERR);
|
|
|
900526 |
+
|
|
|
900526 |
+ /* Check the Tag's value */
|
|
|
900526 |
+ for (i = 0; i < len; i++)
|
|
|
900526 |
+ if (!alphanumeric[sr.base[i]])
|
|
|
900526 |
+ RETERR(DNS_R_FORMERR);
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag + Value
|
|
|
900526 |
+ */
|
|
|
900526 |
+ isc_buffer_forward(source, sr.length);
|
|
|
900526 |
+ return (mem_tobuffer(target, sr.base, sr.length));
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+towire_caa(ARGS_TOWIRE) {
|
|
|
900526 |
+ isc_region_t region;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdata->type == 257);
|
|
|
900526 |
+ REQUIRE(rdata->length >= 3U);
|
|
|
900526 |
+ REQUIRE(rdata->data != NULL);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(cctx);
|
|
|
900526 |
+
|
|
|
900526 |
+ dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
+ return (mem_tobuffer(target, region.base, region.length));
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline int
|
|
|
900526 |
+compare_caa(ARGS_COMPARE) {
|
|
|
900526 |
+ isc_region_t r1, r2;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdata1->type == rdata2->type);
|
|
|
900526 |
+ REQUIRE(rdata1->rdclass == rdata2->rdclass);
|
|
|
900526 |
+ REQUIRE(rdata1->type == 257);
|
|
|
900526 |
+ REQUIRE(rdata1->length >= 3U);
|
|
|
900526 |
+ REQUIRE(rdata2->length >= 3U);
|
|
|
900526 |
+ REQUIRE(rdata1->data != NULL);
|
|
|
900526 |
+ REQUIRE(rdata2->data != NULL);
|
|
|
900526 |
+
|
|
|
900526 |
+ dns_rdata_toregion(rdata1, &r1;;
|
|
|
900526 |
+ dns_rdata_toregion(rdata2, &r2;;
|
|
|
900526 |
+ return (isc_region_compare(&r1, &r2));
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+fromstruct_caa(ARGS_FROMSTRUCT) {
|
|
|
900526 |
+ dns_rdata_caa_t *caa = source;
|
|
|
900526 |
+ isc_region_t region;
|
|
|
900526 |
+ unsigned int i;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(type == 257);
|
|
|
900526 |
+ REQUIRE(source != NULL);
|
|
|
900526 |
+ REQUIRE(caa->common.rdtype == type);
|
|
|
900526 |
+ REQUIRE(caa->common.rdclass == rdclass);
|
|
|
900526 |
+ REQUIRE(caa->tag != NULL && caa->tag_len != 0);
|
|
|
900526 |
+ REQUIRE(caa->value != NULL);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(type);
|
|
|
900526 |
+ UNUSED(rdclass);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Flags
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(uint8_tobuffer(caa->flags, target));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag length
|
|
|
900526 |
+ */
|
|
|
900526 |
+ RETERR(uint8_tobuffer(caa->tag_len, target));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag
|
|
|
900526 |
+ */
|
|
|
900526 |
+ region.base = caa->tag;
|
|
|
900526 |
+ region.length = caa->tag_len;
|
|
|
900526 |
+ for (i = 0; i < region.length; i++)
|
|
|
900526 |
+ if (!alphanumeric[region.base[i]])
|
|
|
900526 |
+ RETERR(DNS_R_SYNTAX);
|
|
|
900526 |
+ RETERR(isc_buffer_copyregion(target, ®ion));
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Value
|
|
|
900526 |
+ */
|
|
|
900526 |
+ region.base = caa->value;
|
|
|
900526 |
+ region.length = caa->value_len;
|
|
|
900526 |
+ return (isc_buffer_copyregion(target, ®ion));
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+tostruct_caa(ARGS_TOSTRUCT) {
|
|
|
900526 |
+ dns_rdata_caa_t *caa = target;
|
|
|
900526 |
+ isc_region_t sr;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdata->type == 257);
|
|
|
900526 |
+ REQUIRE(target != NULL);
|
|
|
900526 |
+ REQUIRE(rdata->length >= 3U);
|
|
|
900526 |
+ REQUIRE(rdata->data != NULL);
|
|
|
900526 |
+
|
|
|
900526 |
+ caa->common.rdclass = rdata->rdclass;
|
|
|
900526 |
+ caa->common.rdtype = rdata->type;
|
|
|
900526 |
+ ISC_LINK_INIT(&caa->common, link);
|
|
|
900526 |
+
|
|
|
900526 |
+ dns_rdata_toregion(rdata, &sr);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Flags
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (sr.length < 1)
|
|
|
900526 |
+ return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
+ caa->flags = uint8_fromregion(&sr);
|
|
|
900526 |
+ isc_region_consume(&sr, 1);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag length
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (sr.length < 1)
|
|
|
900526 |
+ return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
+ caa->tag_len = uint8_fromregion(&sr);
|
|
|
900526 |
+ isc_region_consume(&sr, 1);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Tag
|
|
|
900526 |
+ */
|
|
|
900526 |
+ if (sr.length < caa->tag_len)
|
|
|
900526 |
+ return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
+ caa->tag = mem_maybedup(mctx, sr.base, caa->tag_len);
|
|
|
900526 |
+ if (caa->tag == NULL)
|
|
|
900526 |
+ return (ISC_R_NOMEMORY);
|
|
|
900526 |
+ isc_region_consume(&sr, caa->tag_len);
|
|
|
900526 |
+
|
|
|
900526 |
+ /*
|
|
|
900526 |
+ * Value
|
|
|
900526 |
+ */
|
|
|
900526 |
+ caa->value_len = sr.length;
|
|
|
900526 |
+ caa->value = mem_maybedup(mctx, sr.base, sr.length);
|
|
|
900526 |
+ if (caa->value == NULL)
|
|
|
900526 |
+ return (ISC_R_NOMEMORY);
|
|
|
900526 |
+
|
|
|
900526 |
+ caa->mctx = mctx;
|
|
|
900526 |
+ return (ISC_R_SUCCESS);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline void
|
|
|
900526 |
+freestruct_caa(ARGS_FREESTRUCT) {
|
|
|
900526 |
+ dns_rdata_caa_t *caa = (dns_rdata_caa_t *) source;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(source != NULL);
|
|
|
900526 |
+ REQUIRE(caa->common.rdtype == 257);
|
|
|
900526 |
+
|
|
|
900526 |
+ if (caa->mctx == NULL)
|
|
|
900526 |
+ return;
|
|
|
900526 |
+
|
|
|
900526 |
+ if (caa->tag != NULL)
|
|
|
900526 |
+ isc_mem_free(caa->mctx, caa->tag);
|
|
|
900526 |
+ if (caa->value != NULL)
|
|
|
900526 |
+ isc_mem_free(caa->mctx, caa->value);
|
|
|
900526 |
+ caa->mctx = NULL;
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+additionaldata_caa(ARGS_ADDLDATA) {
|
|
|
900526 |
+ REQUIRE(rdata->type == 257);
|
|
|
900526 |
+ REQUIRE(rdata->data != NULL);
|
|
|
900526 |
+ REQUIRE(rdata->length >= 3U);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(rdata);
|
|
|
900526 |
+ UNUSED(add);
|
|
|
900526 |
+ UNUSED(arg);
|
|
|
900526 |
+
|
|
|
900526 |
+ return (ISC_R_SUCCESS);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_result_t
|
|
|
900526 |
+digest_caa(ARGS_DIGEST) {
|
|
|
900526 |
+ isc_region_t r;
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdata->type == 257);
|
|
|
900526 |
+ REQUIRE(rdata->data != NULL);
|
|
|
900526 |
+ REQUIRE(rdata->length >= 3U);
|
|
|
900526 |
+
|
|
|
900526 |
+ dns_rdata_toregion(rdata, &r);
|
|
|
900526 |
+
|
|
|
900526 |
+ return ((digest)(arg, &r);;
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_boolean_t
|
|
|
900526 |
+checkowner_caa(ARGS_CHECKOWNER) {
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(type == 257);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(name);
|
|
|
900526 |
+ UNUSED(type);
|
|
|
900526 |
+ UNUSED(rdclass);
|
|
|
900526 |
+ UNUSED(wildcard);
|
|
|
900526 |
+
|
|
|
900526 |
+ return (ISC_TRUE);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline isc_boolean_t
|
|
|
900526 |
+checknames_caa(ARGS_CHECKNAMES) {
|
|
|
900526 |
+
|
|
|
900526 |
+ REQUIRE(rdata->type == 257);
|
|
|
900526 |
+ REQUIRE(rdata->data != NULL);
|
|
|
900526 |
+ REQUIRE(rdata->length >= 3U);
|
|
|
900526 |
+
|
|
|
900526 |
+ UNUSED(rdata);
|
|
|
900526 |
+ UNUSED(owner);
|
|
|
900526 |
+ UNUSED(bad);
|
|
|
900526 |
+
|
|
|
900526 |
+ return (ISC_TRUE);
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+static inline int
|
|
|
900526 |
+casecompare_caa(ARGS_COMPARE) {
|
|
|
900526 |
+ return (compare_caa(rdata1, rdata2));
|
|
|
900526 |
+}
|
|
|
900526 |
+
|
|
|
900526 |
+#endif /* GENERIC_CAA_257_C */
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/caa_257.h b/lib/dns/rdata/generic/caa_257.h
|
|
|
900526 |
new file mode 100644
|
|
|
900526 |
index 0000000..79866a5
|
|
|
900526 |
--- /dev/null
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/caa_257.h
|
|
|
900526 |
@@ -0,0 +1,32 @@
|
|
|
900526 |
+/*
|
|
|
900526 |
+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
|
|
|
900526 |
+ *
|
|
|
900526 |
+ * Permission to use, copy, modify, and/or distribute this software for any
|
|
|
900526 |
+ * purpose with or without fee is hereby granted, provided that the above
|
|
|
900526 |
+ * copyright notice and this permission notice appear in all copies.
|
|
|
900526 |
+ *
|
|
|
900526 |
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
|
900526 |
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
900526 |
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
|
900526 |
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
|
900526 |
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
|
900526 |
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
|
900526 |
+ * PERFORMANCE OF THIS SOFTWARE.
|
|
|
900526 |
+ */
|
|
|
900526 |
+
|
|
|
900526 |
+#ifndef GENERIC_CAA_257_H
|
|
|
900526 |
+#define GENERIC_CAA_257_H 1
|
|
|
900526 |
+
|
|
|
900526 |
+/* $Id$ */
|
|
|
900526 |
+
|
|
|
900526 |
+typedef struct dns_rdata_caa {
|
|
|
900526 |
+ dns_rdatacommon_t common;
|
|
|
900526 |
+ isc_mem_t * mctx;
|
|
|
900526 |
+ isc_uint8_t flags;
|
|
|
900526 |
+ unsigned char * tag;
|
|
|
900526 |
+ isc_uint8_t tag_len;
|
|
|
900526 |
+ unsigned char *value;
|
|
|
900526 |
+ isc_uint8_t value_len;
|
|
|
900526 |
+} dns_rdata_caa_t;
|
|
|
900526 |
+
|
|
|
900526 |
+#endif /* GENERIC_CAA_257_H */
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
|
|
|
900526 |
index ce71822..5a90216 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/gpos_27.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/gpos_27.c
|
|
|
900526 |
@@ -61,7 +61,7 @@ totext_gpos(ARGS_TOTEXT) {
|
|
|
900526 |
dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
|
|
|
900526 |
for (i = 0; i < 3; i++) {
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
if (i != 2)
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
}
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
|
|
|
900526 |
index 10b4fec..92038b7 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/hinfo_13.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/hinfo_13.c
|
|
|
900526 |
@@ -58,9 +58,9 @@ totext_hinfo(ARGS_TOTEXT) {
|
|
|
900526 |
REQUIRE(rdata->length != 0);
|
|
|
900526 |
|
|
|
900526 |
dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
- return (txt_totext(®ion, target));
|
|
|
900526 |
+ return (txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static inline isc_result_t
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
|
|
|
900526 |
index 5aac73f..059c247 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/isdn_20.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/isdn_20.c
|
|
|
900526 |
@@ -65,11 +65,11 @@ totext_isdn(ARGS_TOTEXT) {
|
|
|
900526 |
UNUSED(tctx);
|
|
|
900526 |
|
|
|
900526 |
dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
if (region.length == 0)
|
|
|
900526 |
return (ISC_R_SUCCESS);
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
- return (txt_totext(®ion, target));
|
|
|
900526 |
+ return (txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static inline isc_result_t
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/naptr_35.c b/lib/dns/rdata/generic/naptr_35.c
|
|
|
900526 |
index 83439a5..be7d403 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/naptr_35.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/naptr_35.c
|
|
|
900526 |
@@ -224,19 +224,19 @@ totext_naptr(ARGS_TOTEXT) {
|
|
|
900526 |
/*
|
|
|
900526 |
* Flags.
|
|
|
900526 |
*/
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
* Service.
|
|
|
900526 |
*/
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
* Regexp.
|
|
|
900526 |
*/
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/spf_99.c b/lib/dns/rdata/generic/spf_99.c
|
|
|
900526 |
index 492e315..85594fd 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/spf_99.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/spf_99.c
|
|
|
900526 |
@@ -64,7 +64,7 @@ totext_spf(ARGS_TOTEXT) {
|
|
|
900526 |
dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
|
|
|
900526 |
while (region.length > 0) {
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
if (region.length > 0)
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
}
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
|
|
|
900526 |
index e1bce6a..e0e8ea5 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/txt_16.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/txt_16.c
|
|
|
900526 |
@@ -71,7 +71,7 @@ totext_txt(ARGS_TOTEXT) {
|
|
|
900526 |
dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
|
|
|
900526 |
while (region.length > 0) {
|
|
|
900526 |
- RETERR(txt_totext(®ion, target));
|
|
|
900526 |
+ RETERR(txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
if (region.length > 0)
|
|
|
900526 |
RETERR(str_totext(" ", target));
|
|
|
900526 |
}
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/uri_256.c b/lib/dns/rdata/generic/uri_256.c
|
|
|
900526 |
index 799eb69..62bdd25 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/uri_256.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/uri_256.c
|
|
|
900526 |
@@ -115,15 +115,12 @@ fromwire_uri(ARGS_FROMWIRE) {
|
|
|
900526 |
isc_buffer_activeregion(source, ®ion);
|
|
|
900526 |
if (region.length < 4)
|
|
|
900526 |
return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
- RETERR(mem_tobuffer(target, region.base, 4));
|
|
|
900526 |
- isc_buffer_forward(source, 4);
|
|
|
900526 |
|
|
|
900526 |
/*
|
|
|
900526 |
- * Target URI
|
|
|
900526 |
+ * Priority, weight and target URI
|
|
|
900526 |
*/
|
|
|
900526 |
- RETERR(multitxt_fromwire(source, target));
|
|
|
900526 |
-
|
|
|
900526 |
- return (ISC_R_SUCCESS);
|
|
|
900526 |
+ isc_buffer_forward(source, region.length);
|
|
|
900526 |
+ return (mem_tobuffer(target, region.base, region.length));
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static inline isc_result_t
|
|
|
900526 |
@@ -178,8 +175,6 @@ compare_uri(ARGS_COMPARE) {
|
|
|
900526 |
static inline isc_result_t
|
|
|
900526 |
fromstruct_uri(ARGS_FROMSTRUCT) {
|
|
|
900526 |
dns_rdata_uri_t *uri = source;
|
|
|
900526 |
- isc_region_t region;
|
|
|
900526 |
- isc_uint8_t len;
|
|
|
900526 |
|
|
|
900526 |
REQUIRE(type == 256);
|
|
|
900526 |
REQUIRE(source != NULL);
|
|
|
900526 |
@@ -203,18 +198,6 @@ fromstruct_uri(ARGS_FROMSTRUCT) {
|
|
|
900526 |
/*
|
|
|
900526 |
* Target URI
|
|
|
900526 |
*/
|
|
|
900526 |
- len = 255U;
|
|
|
900526 |
- region.base = uri->target;
|
|
|
900526 |
- region.length = uri->tgt_len;
|
|
|
900526 |
- while (region.length > 0) {
|
|
|
900526 |
- REQUIRE(len == 255U);
|
|
|
900526 |
- len = uint8_fromregion(®ion);
|
|
|
900526 |
- isc_region_consume(®ion, 1);
|
|
|
900526 |
- if (region.length < len)
|
|
|
900526 |
- return (ISC_R_UNEXPECTEDEND);
|
|
|
900526 |
- isc_region_consume(®ion, len);
|
|
|
900526 |
- }
|
|
|
900526 |
-
|
|
|
900526 |
return (mem_tobuffer(target, uri->target, uri->tgt_len));
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
|
|
|
900526 |
index 6867fec..f9dfb8a 100644
|
|
|
900526 |
--- a/lib/dns/rdata/generic/x25_19.c
|
|
|
900526 |
+++ b/lib/dns/rdata/generic/x25_19.c
|
|
|
900526 |
@@ -60,7 +60,7 @@ totext_x25(ARGS_TOTEXT) {
|
|
|
900526 |
REQUIRE(rdata->length != 0);
|
|
|
900526 |
|
|
|
900526 |
dns_rdata_toregion(rdata, ®ion);
|
|
|
900526 |
- return (txt_totext(®ion, target));
|
|
|
900526 |
+ return (txt_totext(®ion, ISC_TRUE, target));
|
|
|
900526 |
}
|
|
|
900526 |
|
|
|
900526 |
static inline isc_result_t
|
|
|
900526 |
--
|
|
|
900526 |
2.4.3
|
|
|
900526 |
|