Remove NsecToNsec3TransitionState, Nsec3ToNsecTransitionState,

TransitioningNsecToNsec3, and TransitioningNsec3ToNsec.
NLnetLabs · Feb 6, 2025 · 21cb3a8 · 21cb3a8
1 parent c2037fe
commit 21cb3a8
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 98 deletions.
diff --git a/src/dnssec/sign/denial/config.rs b/src/dnssec/sign/denial/config.rs
@@ -1,7 +1,5 @@
 use core::convert::From;
 
-use std::vec::Vec;
-
 use super::nsec::GenerateNsecConfig;
 use super::nsec3::{
     GenerateNsec3Config, Nsec3HashProvider, OnDemandNsec3HashProvider,
@@ -10,63 +8,6 @@ use crate::base::{Name, ToName};
 use crate::dnssec::sign::records::DefaultSorter;
 use octseq::{EmptyBuilder, FromBuilder};
 
-//------------ NsecToNsec3TransitionState ------------------------------------
-
-/// The current state of an RFC 5155 section 10.4 NSEC to NSEC3 transition.
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-pub enum NsecToNsec3TransitionState {
-    /// 1.  Transition all DNSKEYs to DNSKEYs using the algorithm aliases
-    ///     described in Section 2.  The actual method for safely and securely
-    ///     changing the DNSKEY RRSet of the zone is outside the scope of this
-    ///     specification.  However, the end result MUST be that all DS RRs in
-    ///     the parent use the specified algorithm aliases.
-    ///
-    ///     After this transition is complete, all NSEC3-unaware clients will
-    ///     treat the zone as insecure.  At this point, the authoritative
-    ///     server still returns negative and wildcard responses that contain
-    ///     NSEC RRs.
-    TransitioningDnskeys,
-
-    /// 2.  Add signed NSEC3 RRs to the zone, either incrementally or all at
-    ///     once.  If adding incrementally, then the last RRSet added MUST be
-    ///     the NSEC3PARAM RRSet.
-    ///
-    /// 3.  Upon the addition of the NSEC3PARAM RRSet, the server switches to
-    ///     serving negative and wildcard responses with NSEC3 RRs according
-    ///     to this specification.
-    AddingNsec3Records,
-
-    /// 4.  Remove the NSEC RRs either incrementally or all at once.
-    RemovingNsecRecords,
-
-    /// 5. Done.
-    Transitioned,
-}
-
-//------------ Nsec3ToNsecTransitionState ------------------------------------
-
-/// The current state of an RFC 5155 section 10.5 NSEC3 to NSEC transition.
-#[derive(Copy, Clone, Debug, Eq, PartialEq)]
-pub enum Nsec3ToNsecTransitionState {
-    /// 1.  Add NSEC RRs incrementally or all at once.
-    AddingNsecRecords,
-
-    /// 2.  Remove the NSEC3PARAM RRSet.  This will signal the server to use
-    ///     the NSEC RRs for negative and wildcard responses.
-    RemovingNsec3ParamRecord,
-
-    /// 3.  Remove the NSEC3 RRs either incrementally or all at once.
-    RemovingNsec3Records,
-
-    /// 4. Transition all of the DNSKEYs to DNSSEC algorithm identifiers.
-    ///    After this transition is complete, all NSEC3-unaware clients will
-    ///    treat the zone as secure.
-    TransitioningDnskeys,
-
-    /// 5. Done.
-    Transitioned,
-}
-
 //------------ DenialConfig --------------------------------------------------
 
 /// Authenticated denial of existence configuration for a DNSSEC signed zone.
@@ -112,24 +53,7 @@ pub enum DenialConfig<
     ///    the only practical and palatable transition mechanisms may require
     ///    an intermediate transition to an insecure state, or to a state that
     ///    uses NSEC records instead of NSEC3."
-    Nsec3(
-        GenerateNsec3Config<N, O, HP, Sort>,
-        Vec<GenerateNsec3Config<N, O, HP, Sort>>,
-    ),
-
-    /// The zone is transitioning from NSEC to NSEC3.
-    TransitioningNsecToNsec3(
-        GenerateNsecConfig,
-        GenerateNsec3Config<N, O, HP, Sort>,
-        NsecToNsec3TransitionState,
-    ),
-
-    /// The zone is transitioning from NSEC3 to NSEC.
-    TransitioningNsec3ToNsec(
-        GenerateNsecConfig,
-        GenerateNsec3Config<N, O, HP, Sort>,
-        Nsec3ToNsecTransitionState,
-    ),
+    Nsec3(GenerateNsec3Config<N, O, HP, Sort>),
 }
 
 impl<N, O> Default

diff --git a/src/dnssec/sign/mod.rs b/src/dnssec/sign/mod.rs
@@ -438,7 +438,7 @@ where
             in_out.sorted_extend(nsecs.into_iter().map(Record::from_record));
         }
 
-        DenialConfig::Nsec3(ref mut cfg, extra) if extra.is_empty() => {
+        DenialConfig::Nsec3(ref mut cfg) => {
             // RFC 5155 7.1 step 5: "Sort the set of NSEC3 RRs into hash
             // order." We store the NSEC3s as we create them and sort them
             // afterwards.
@@ -451,26 +451,6 @@ where
                     .chain(nsec3s.into_iter().map(Record::from_record)),
             );
         }
-
-        DenialConfig::Nsec3(_nsec3_config, _extra) => {
-            todo!();
-        }
-
-        DenialConfig::TransitioningNsecToNsec3(
-            _nsec_config,
-            _nsec3_config,
-            _nsec_to_nsec3_transition_state,
-        ) => {
-            todo!();
-        }
-
-        DenialConfig::TransitioningNsec3ToNsec(
-            _nsec_config,
-            _nsec3_config,
-            _nsec3_to_nsec_transition_state,
-        ) => {
-            todo!();
-        }
     }
 
     if !signing_keys.is_empty() {