NLnetLabs · ximon18 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024 · Dec 5, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -21,6 +21,7 @@ name = "domain"
 path = "src/lib.rs"
 
 [dependencies]
+arbitrary      = { version = "1.4.1", optional = true, features = ["derive"] }
 octseq         = { version = "0.5.2", default-features = false }
 time           = { version = "0.3.1", default-features = false }
 rand           = { version = "0.8", optional = true }

diff --git a/src/base/iana/macros.rs b/src/base/iana/macros.rs
@@ -13,6 +13,7 @@ macro_rules! int_enum {
                                         $value:expr, $mnemonic:expr) )* ) => {
         $(#[$attr])*
         #[derive(Clone, Copy, Eq, Hash, Ord, PartialEq, PartialOrd)]
+        #[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
         pub struct $ianatype($inttype);
 
         impl $ianatype {

diff --git a/src/base/name/absolute.rs b/src/base/name/absolute.rs
@@ -50,6 +50,7 @@ use std::vec::Vec;
 /// [`Display`]: std::fmt::Display
 #[derive(Clone)]
 #[repr(transparent)]
+#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 pub struct Name<Octs: ?Sized>(Octs);
 
 impl Name<()> {

diff --git a/src/rdata/dnssec.rs b/src/rdata/dnssec.rs
@@ -2169,6 +2169,11 @@ impl<Octs: AsRef<[u8]>> RtypeBitmap<Octs> {
     ) -> Result<(), Target::AppendError> {
         target.append_slice(self.0.as_ref())
     }
+
+    #[must_use]
+    pub fn is_empty(&self) -> bool {
+        self.iter().next().is_none()
+    }
 }
 
 //--- AsRef

diff --git a/src/rdata/nsec3.rs b/src/rdata/nsec3.rs
@@ -102,6 +102,10 @@ impl<Octs> Nsec3<Octs> {
         &self.next_owner
     }
 
+    pub fn set_next_owner(&mut self, next_owner: OwnerHash<Octs>) {
+        self.next_owner = next_owner;
+    }
+
     pub fn types(&self) -> &RtypeBitmap<Octs> {
         &self.types
     }
@@ -354,7 +358,10 @@ impl<Octs: AsRef<[u8]>> fmt::Display for Nsec3<Octs> {
             self.hash_algorithm, self.flags, self.iterations, self.salt
         )?;
         base32::display_hex(&self.next_owner, f)?;
-        write!(f, " {}", self.types)
+        if !self.types.is_empty() {
+            write!(f, " {}", self.types)?;
+        }
+        Ok(())
     }
 }
 
@@ -453,6 +460,10 @@ impl<Octs> Nsec3param<Octs> {
         &self.salt
     }
 
+    pub fn into_salt(self) -> Nsec3Salt<Octs> {
+        self.salt
+    }
+
     pub(super) fn convert_octets<Target>(
         self,
     ) -> Result<Nsec3param<Target>, Target::Error>
@@ -496,6 +507,35 @@ impl<Octs> Nsec3param<Octs> {
     }
 }
 
+//--- Default
+
+impl<Octs> Default for Nsec3param<Octs>
+where
+    Octs: From<&'static [u8]>,
+{
+    /// Best practice default values for NSEC3 hashing.
+    ///
+    /// Per [RFC 9276] section 3.1:
+    ///
+    /// - _SHA-1, no extra iterations, empty salt._
+    ///
+    /// Per [RFC 5155] section 4.1.2:
+    ///
+    /// - _The Opt-Out flag is not used and is set to zero._
+    /// - _All other flags are reserved for future use, and must be zero._
+    ///
+    /// [RFC 5155]: https://www.rfc-editor.org/rfc/rfc5155.html
+    /// [RFC 9276]: https://www.rfc-editor.org/rfc/rfc9276.html
+    fn default() -> Self {
+        Self {
+            hash_algorithm: Nsec3HashAlg::SHA1,
+            flags: 0,
+            iterations: 0,
+            salt: Nsec3Salt::empty(),
+        }
+    }
+}
+
 //--- OctetsFrom
 
 impl<Octs, SrcOcts> OctetsFrom<Nsec3param<SrcOcts>> for Nsec3param<Octs>
@@ -712,6 +752,7 @@ impl<Octs: AsRef<[u8]>> ZonefileFmt for Nsec3param<Octs> {
 /// no whitespace allowed.
 #[derive(Clone)]
 #[repr(transparent)]
+#[cfg_attr(feature = "arbitrary", derive(arbitrary::Arbitrary))]
 pub struct Nsec3Salt<Octs: ?Sized>(Octs);
 
 impl Nsec3Salt<()> {

diff --git a/src/sign/mod.rs b/src/sign/mod.rs
@@ -126,6 +126,7 @@ pub use self::bytes::{RsaSecretKeyBytes, SecretKeyBytes};
 
 pub mod common;
 pub mod openssl;
+pub mod records;
 pub mod ring;
 
 //----------- SigningKey -----------------------------------------------------