net: add embedded DNSSEC chain support.

Now that the DNS root is signed we have a good trust path in several
TLDs (including .org). This patch enables self-signed certificates to
include a DNSSEC chain as an extension which proves a CERT record,
containing the fingerprint of the public key.

The format of the chain is still undecided, so this is only enabled
with --enable-dnssec-certs.

BUG=none
TEST=net_unittests

http://codereview.chromium.org/2806076

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@55771 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 1 deletions

diff --git a/net/base/dns_util.h b/net/base/dns_util.h
index 88c48a8..78dca47 100644
--- a/net/base/dns_util.h
+++ b/net/base/dns_util.h
@@ -30,10 +30,21 @@ std::string TrimEndingDot(const std::string& host);
 // http://www.iana.org/assignments/dns-parameters
 
 static const uint16 kDNS_TXT = 16;
-static const uint16 kDNS_RRSIG = 46;
 static const uint16 kDNS_CERT = 37;
+static const uint16 kDNS_DS = 43;
+static const uint16 kDNS_RRSIG = 46;
+static const uint16 kDNS_DNSKEY = 48;
 static const uint16 kDNS_ANY = 0xff;
 
+// http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml
+static const uint8 kDNSSEC_RSA_SHA1 = 5;
+static const uint8 kDNSSEC_RSA_SHA1_NSEC3 = 7;
+static const uint8 kDNSSEC_RSA_SHA256 = 8;
+
+// RFC 4509
+static const uint8 kDNSSEC_SHA1 = 1;
+static const uint8 kDNSSEC_SHA256 = 2;
+
 }  // namespace net
 
 #endif  // NET_BASE_DNS_UTIL_H_