boulder

Commit Graph

Author	SHA1	Message	Date
James Renken	48d5ad3c19	ratelimits: Add IP address identifier support (#8221 ) Change most functions in `ratelimits` to use full ACMEIdentifier(s) as arguments, instead of using their values as strings. This makes the plumbing from other packages more consistent, and allows us to: Rename `FQDNsToETLDsPlusOne` to `coveringIdentifiers` and handle IP identifiers, parsing IPv6 addresses into their covering /64 prefixes for CertificatesPerDomain[PerAccount] bucket keys. Port improved IP/CIDR validation logic to NewRegistrationsPerIPAddress & PerIPv6Range. Rename `domain` parts of bucket keys to either `identValue` or `domainOrCIDR`. Rename other internal functions to clarify that they now handle identifier values, not just domains. Add the new reserved IPv6 address range from RFC 9780. For deployability, don't (yet) rename rate limits themselves; and because it remains the name of the database table, preserve the term `fqdnSets`. Fixes #8223 Part of #7311	2025-06-12 11:47:32 -07:00
James Renken	b017c1b46d	bdns, policy: Move reserved IP checking from bdns to policy & refactor (#8196 ) Move `IsReservedIP` and its supporting vars from `bdns` to `policy`. Rewrite `IsReservedIP` to: * Use `netip` because `netip.Prefix` can be used as a map key, allowing us to define prefix lists more elegantly. This will enable future work to import prefix lists from IANA's primary source data. * Return an error including the reserved network's name. Refactor `IsReservedIP` tests to be table-based. Fixes #8040	2025-05-27 13:24:21 -07:00

Author

SHA1

Message

Date

James Renken

48d5ad3c19

ratelimits: Add IP address identifier support (#8221 )

Change most functions in `ratelimits` to use full ACMEIdentifier(s) as
arguments, instead of using their values as strings. This makes the
plumbing from other packages more consistent, and allows us to:

Rename `FQDNsToETLDsPlusOne` to `coveringIdentifiers` and handle IP
identifiers, parsing IPv6 addresses into their covering /64 prefixes for
CertificatesPerDomain[PerAccount] bucket keys.

Port improved IP/CIDR validation logic to NewRegistrationsPerIPAddress &
PerIPv6Range.

Rename `domain` parts of bucket keys to either `identValue` or
`domainOrCIDR`.

Rename other internal functions to clarify that they now handle
identifier values, not just domains.

Add the new reserved IPv6 address range from RFC 9780.

For deployability, don't (yet) rename rate limits themselves; and
because it remains the name of the database table, preserve the term
`fqdnSets`.

Fixes #8223
Part of #7311

2025-06-12 11:47:32 -07:00

James Renken

b017c1b46d

bdns, policy: Move reserved IP checking from bdns to policy & refactor (#8196 )

Move `IsReservedIP` and its supporting vars from `bdns` to `policy`.

Rewrite `IsReservedIP` to:
* Use `netip` because `netip.Prefix` can be used as a map key, allowing
us to define prefix lists more elegantly. This will enable future work
to import prefix lists from IANA's primary source data.
* Return an error including the reserved network's name.

Refactor `IsReservedIP` tests to be table-based.

Fixes #8040

2025-05-27 13:24:21 -07:00

2 Commits