| Copyright | (c) Viktor Dukhovni 2026 |
|---|---|
| License | BSD-3-Clause |
| Maintainer | ietf-dane@dukhovni.org |
| Stability | unstable |
| Safe Haskell | None |
| Language | GHC2024 |
Net.DNSBase.RData.NSEC
Description
DNSSEC denial-of-existence machinery. T_nsec (RFC 4034) names
the next existing owner in canonical order alongside a bitmap of
present RR types at the proving name. T_nsec3 (RFC 5155) is
the hashed variant, where the next-name pointer is the hashed
owner. T_nsec3param (RFC 5155) carries the zone-wide NSEC3
hashing parameters at the zone apex. T_nxt (RFC 2535) is the
obsolete predecessor of NSEC, defined here for compatibility
with archival zone data.
Synopsis
- data T_nsec = T_NSEC {}
- data T_nsec3 = T_NSEC3 {}
- data T_nsec3param = T_NSEC3PARAM {}
- data NsecTypes
- nsecTypesFromList :: [RRTYPE] -> NsecTypes
- nsecTypesToList :: NsecTypes -> [RRTYPE]
- hasRRtype :: RRTYPE -> NsecTypes -> Bool
- data T_nxt = T_NXT {}
- data NxtTypes
- data NxtRRtype
- toNxtTypes :: NonEmpty RRTYPE -> NxtTypes
- nxtTypesFromNE :: NonEmpty NxtRRtype -> NxtTypes
- nxtTypesToNE :: NxtTypes -> NonEmpty NxtRRtype
- hasNxtRRtype :: RRTYPE -> NxtTypes -> Bool
- module Net.DNSBase.NonEmpty
NSEC, NSEC3, and NSEC Type Bitmap structures
The NSEC resource record
(RFC 4034 section 4)
— the building block of authenticated denial of existence: a
Domain naming the next existing owner in the zone's canonical
order, plus an NsecTypes bitmap of RR types present at the
proving name.
The next-owner-name field is not subject to wire-form name compression (RFC 3597 section 4) and is not lower-cased when computing canonical wire form (RFC 6840 section 5.1).
See T_nsec3 for the hashed-name variant.
Instances
| Presentable T_nsec Source # | |||||
Defined in Net.DNSBase.RData.NSEC Methods present :: T_nsec -> Builder -> Builder Source # presentLazy :: T_nsec -> ByteString -> ByteString Source # | |||||
| KnownRData T_nsec Source # | |||||
Defined in Net.DNSBase.RData.NSEC Associated Types
Methods rdataExtensionVal :: forall b -> b ~ T_nsec => RDataExtensionVal T_nsec Source # rdType :: forall b -> b ~ T_nsec => RRTYPE Source # rdTypePres :: forall b -> b ~ T_nsec => Builder -> Builder Source # rdDecode :: forall b -> b ~ T_nsec => RDataExtensionVal T_nsec -> Int -> SGet RData Source # | |||||
| Show T_nsec Source # | |||||
| Eq T_nsec Source # | |||||
| Ord T_nsec Source # | |||||
| type RDataExtensionVal T_nsec Source # | |||||
Defined in Net.DNSBase.RData.NSEC | |||||
The NSEC3 resource record
(RFC 5155 section 3.2)
— the hashed denial-of-existence variant. The next-owner-name
field carries the hashed equivalent rather than the plain name,
and the record itself includes the hashing parameters
(algorithm, flags, iteration count, salt) needed to reproduce
the hash. The trailing NsecTypes bitmap names the RR types
present at the proving (un-hashed) name.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash Alg. | Flags | Iterations | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Salt Length | Salt / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash Length | Next Hashed Owner Name / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / Type Bit Maps / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The Ord instance compares the fields in wire-encoding order,
using dnsTextCmp on the length-prefixed salt and hashed-name
bytes, so it agrees with the canonical RR-content ordering of
RFC 4034 section 6.2.
See T_nsec for the un-hashed variant and T_nsec3param for the
zone-apex parameter record.
Constructors
| T_NSEC3 | |
Fields | |
Instances
| Presentable T_nsec3 Source # | |||||
Defined in Net.DNSBase.RData.NSEC Methods present :: T_nsec3 -> Builder -> Builder Source # presentLazy :: T_nsec3 -> ByteString -> ByteString Source # | |||||
| KnownRData T_nsec3 Source # | |||||
Defined in Net.DNSBase.RData.NSEC Associated Types
Methods rdataExtensionVal :: forall b -> b ~ T_nsec3 => RDataExtensionVal T_nsec3 Source # rdType :: forall b -> b ~ T_nsec3 => RRTYPE Source # rdTypePres :: forall b -> b ~ T_nsec3 => Builder -> Builder Source # rdDecode :: forall b -> b ~ T_nsec3 => RDataExtensionVal T_nsec3 -> Int -> SGet RData Source # | |||||
| Show T_nsec3 Source # | |||||
| Eq T_nsec3 Source # | |||||
| Ord T_nsec3 Source # | |||||
Defined in Net.DNSBase.RData.NSEC | |||||
| type RDataExtensionVal T_nsec3 Source # | |||||
Defined in Net.DNSBase.RData.NSEC | |||||
data T_nsec3param Source #
The NSEC3PARAM resource record
(RFC 5155 section 4.2)
— a zone-apex record describing the NSEC3 hashing parameters
(algorithm, iteration count, salt) in use across the zone's
NSEC3 chain. Validating resolvers do not consult this record
(each T_nsec3 carries its own parameters in the RDATA); it
exists for authoritative-server tooling.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Hash Alg. | Flags | Iterations | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Salt Length | Salt / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
(Editorial: the salt and iteration count were largely a bad idea in retrospect; best practice for zone signers is to set the salt empty and the iteration count to zero.)
See T_nsec3 for the records produced under these parameters.
Constructors
| T_NSEC3PARAM | |
Fields | |
Instances
Abstract representation of a set of RRTYPE codepoints,
stored as the window-based wire-format bitmap from RFC 4034
section 4.1.2. Used by T_nsec,
T_nsec3, and
T_csync to carry the set of types
present at the owner name.
An NsecTypes may legitimately be empty -- this is the
expected encoding for an NSEC3 empty-non-terminal. With NSEC,
the type bitmap is expected to include at least the NSEC type
itself; that invariant is not enforced by the type.
Construction and enumeration go through IsList:
fromListtys ::NsecTypesRRTYPEvalues; duplicates are merged and the wire-form ordering is canonical regardless of input order. UnderOverloadedListsthe same input shape is just[A, AAAA, MX].toListbm :: [RRTYPE](unions two bitmaps;<>)memptyis the empty bitmap.
For membership without enumerating the whole set, use
hasRRtype, which goes directly to the relevant window, block
and bit offset.
Instances
| Presentable NsecTypes Source # | Presentation form: contained types in canonical wire-form
order, space-separated, with no leading separator. The empty
bitmap renders as the empty string. When the bitmap follows
another field in an RR's presentation form, compose with
|
Defined in Net.DNSBase.NsecTypes Methods present :: NsecTypes -> Builder -> Builder Source # presentLazy :: NsecTypes -> ByteString -> ByteString Source # | |
| Semigroup NsecTypes Source # | The |
| IsList NsecTypes Source # | Construction is via |
| Show NsecTypes Source # | |
| Eq NsecTypes Source # | |
| Ord NsecTypes Source # | The |
| type Item NsecTypes Source # | |
Defined in Net.DNSBase.NsecTypes | |
nsecTypesFromList :: [RRTYPE] -> NsecTypes Source #
Construct the per-window bitmaps from a list of types.
hasRRtype :: RRTYPE -> NsecTypes -> Bool Source #
Efficient NSEC/NSEC3 type bitmap membership predicate.
Obsolete NXT structure
The NXT resource record
(RFC 2535 section 5.2)
— the obsolete predecessor of T_nsec, defined here for
compatibility with archival DNSSEC zone data. Same conceptual
shape as NSEC (next owner name + type bitmap) but with a
different type-bitmap encoding.
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | next domain name / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | type bit map / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The domain name is wire-form name-compressed on decode only
(RFC 3597 section 4)
and canonicalises to lower case
(RFC 4034 section 6.2).
The Eq and Ord instances compare the domain field in
canonical wire form (via equalWireHost / compareWireHost)
and the type bitmap byte-wise.
See T_nsec for the modern replacement.
Instances
| Presentable T_nxt Source # | |||||
Defined in Net.DNSBase.RData.NSEC Methods present :: T_nxt -> Builder -> Builder Source # presentLazy :: T_nxt -> ByteString -> ByteString Source # | |||||
| KnownRData T_nxt Source # | |||||
Defined in Net.DNSBase.RData.NSEC Associated Types
Methods rdataExtensionVal :: forall b -> b ~ T_nxt => RDataExtensionVal T_nxt Source # rdType :: forall b -> b ~ T_nxt => RRTYPE Source # rdTypePres :: forall b -> b ~ T_nxt => Builder -> Builder Source # rdDecode :: forall b -> b ~ T_nxt => RDataExtensionVal T_nxt -> Int -> SGet RData Source # | |||||
| Show T_nxt Source # | |||||
| Eq T_nxt Source # | |||||
| Ord T_nxt Source # | |||||
| type RDataExtensionVal T_nxt Source # | |||||
Defined in Net.DNSBase.RData.NSEC | |||||
Instances
| Presentable NxtTypes Source # | |
Defined in Net.DNSBase.NsecTypes Methods present :: NxtTypes -> Builder -> Builder Source # presentLazy :: NxtTypes -> ByteString -> ByteString Source # | |
| IsNonEmptyList NxtTypes Source # | |
| Semigroup NxtTypes Source # | Concatentation va |
| Show NxtTypes Source # | |
| Eq NxtTypes Source # | |
| Ord NxtTypes Source # | The |
Defined in Net.DNSBase.NsecTypes | |
| type Item1 NxtTypes Source # | |
Defined in Net.DNSBase.NsecTypes | |
An RRtype representable in an NXT RR bitmap.
Instances
| Presentable NxtRRtype Source # | |
Defined in Net.DNSBase.NsecTypes Methods present :: NxtRRtype -> Builder -> Builder Source # presentLazy :: NxtRRtype -> ByteString -> ByteString Source # | |
| Bounded NxtRRtype Source # | |
| Enum NxtRRtype Source # | |
Defined in Net.DNSBase.NsecTypes Methods succ :: NxtRRtype -> NxtRRtype # pred :: NxtRRtype -> NxtRRtype # fromEnum :: NxtRRtype -> Int # enumFrom :: NxtRRtype -> [NxtRRtype] # enumFromThen :: NxtRRtype -> NxtRRtype -> [NxtRRtype] # enumFromTo :: NxtRRtype -> NxtRRtype -> [NxtRRtype] # enumFromThenTo :: NxtRRtype -> NxtRRtype -> NxtRRtype -> [NxtRRtype] # | |
| Show NxtRRtype Source # | |
| Eq NxtRRtype Source # | |
| Ord NxtRRtype Source # | |
nxtTypesFromNE :: NonEmpty NxtRRtype -> NxtTypes Source #
Construct the bitmap from a non-empty list of types.
module Net.DNSBase.NonEmpty