dnssec_prover/lib.rs
1//! The DNS provides a single, global, hierarchical namespace with (when DNSSEC is used)
2//! cryptographic guarantees on all of its data.
3//!
4//! This makes it incredibly powerful for resolving human-readable names into arbitrary, secured
5//! data.
6//!
7//! Unlike TLS, this cryptographic security provides transferable proofs which can convince an
8//! offline device, using simple cryptographic primitives and a single root trusted key, of the
9//! validity of DNS data.
10//!
11//! This crate implements the creation and validation of such proofs, using the format from RFC
12//! 9102 to create transferable proofs of DNS entries.
13//!
14//! It is no-std (but requires `alloc`) and seeks to have minimal dependencies and a reasonably
15//! conservative MSRV policy, allowing it to be used in as many places as possible.
16//!
17//! Most of the crate's logic is feature-gated, and *all dependencies are optional*:
18//! * By default, the `validation` feature is set, allowing to validate DNSSEC signatures and
19//! proofs using the [`validation`] module.
20//! * The `std` feature enables the [`query`] module, allowing for the building of proofs by
21//! querying a recursive resolver over TCP.
22//! * The `tokio` feature further enables async versions of the [`query`] methods, doing the same
23//! querying async using `tokio`'s TCP streams.
24//! * Finally, the crate can be built as a binary using the `build_server` feature, responding to
25//! queries over HTTP GET calls to `/dnssecproof?d=domain.name.&t=RecordType` with DNSSEC
26//! proofs.
27//!
28//! The `slower_smaller_binary` feature slows proof validation down by 50%+ for a very marginal
29//! reduction in binary size, but those who are extremely binary size constrained may still find it
30//! useful.
31
32#![deny(missing_docs)]
33#![deny(rustdoc::broken_intra_doc_links)]
34#![deny(rustdoc::private_intra_doc_links)]
35
36#![allow(clippy::new_without_default)] // why is this even a lint
37#![allow(clippy::result_unit_err)] // Why in the hell is this a lint?
38#![allow(clippy::get_first)] // Sometimes this improves readability
39#![allow(clippy::needless_lifetimes)] // lifetimes improve readability
40#![allow(clippy::needless_borrow)] // borrows indicate read-only/non-move
41#![allow(clippy::too_many_arguments)] // sometimes we don't have an option
42#![allow(clippy::identity_op)] // sometimes identities improve readability for repeated actions
43#![allow(clippy::erasing_op)] // sometimes identities improve readability for repeated actions
44
45#![cfg_attr(not(feature = "std"), no_std)]
46extern crate alloc;
47
48/// The maximum number of requests we will make when building a proof or the maximum number of
49/// [`rr::RRSig`] sets we'll validate records from when validating proofs.
50// Note that this is duplicated exactly in src/http.rs
51pub const MAX_PROOF_STEPS: usize = 20;
52
53#[cfg(feature = "validation")]
54mod base32;
55
56#[cfg(feature = "validation")]
57pub(crate) mod unhex;
58
59#[cfg(all(feature = "validation", any(dnssec_prover_fuzzing, dnssec_validate_bench)))]
60pub mod crypto;
61#[cfg(all(feature = "validation", not(any(dnssec_prover_fuzzing, dnssec_validate_bench))))]
62mod crypto;
63
64pub mod rr;
65pub mod ser;
66pub mod query;
67
68#[cfg(feature = "validation")]
69pub mod validation;
70
71#[cfg(all(feature = "std", feature = "validation", test))]
72mod test;