Lines Matching refs:Zone
23 A DNSSEC chain verifier can be in one of two states: entering a zone, or within a zone. Initially, the verifier is entering the root zone.
25 When entering a zone, the verifier reads the following structure:
44 If only a trusted key is needed within this zone, then the signature length MAY be zero. In which case, |entryKey| MUST be 0 and |numKeys| MUST be 1.
46 After processing this data, the verifier trusts one or more keys for this zone.
48 When within a zone, the verifier reads the following structure:
55 |name| must be closer to the current target domain than the current zone. Here, 'closer' is defined as a greater number of matching labels when comparing right to left.
59 DS: this indicates a zone transition to a new zone named |name|. The verifier reads the following structure:
68 The verifier is now entering the named zone. It reads ahead and extracts the entry key from the zone entry data and synthisises a DS record for the given digest type and verifies the signature. It then enters the next zone.
86 This replaces the target domain with a new domain. The new domain is the target of the CNAME with _ssl prepended. The verifier is now in the zone that is the greatest common ancestor of the old and new target domains. (For example, when switching from _ssl.www.example.com to _ssl.www.example2.com, the verifier is now in com.)
170 struct DNSSECChainVerifier::Zone {
176 Zone* prev;
196 Zone* next;
197 for (Zone* cur = current_zone_; cur; cur = next) {
444 // start of a zone.
548 // EnterRoot enters the root zone at the beginning of the chain. This is
551 // for the root zone only, the keyid of the entry key is prepended to the data.
577 // EnterZone enters a new DNS zone. On entry it's assumed that the entry key
580 const base::StringPiece& zone) {
581 Zone* prev = current_zone_;
582 current_zone_ = new Zone;
584 current_zone_->name = zone;
585 current_zone_->matching_labels = MatchingLabels(target_, zone);
600 if (zone.size() == 1 && key.empty()) {
601 // If a key is omitted in the root zone then it's the root key.
609 if (!ReadDNSKEYs(&dnskeys, zone.size() == 1))
620 zone, zone, sig, kDNS_DNSKEY, dnskeys)) {
634 // LeaveZone transitions out of the current zone, either by following DS
635 // records to validate the entry key of the next zone, or because the final
669 // If we are transitioning to another zone then the next zone must be
670 // 'closer' to the target than the current zone.
691 // We unwind the zones until the current zone is a (non-strict) subset of
695 Zone* prev = current_zone_->prev;
713 // omitted are calculated from the entry key of the next zone.