man tsig () - ns_sign ,
NAME
SYNOPSIS
"ns_tcp_tsig_state *state" "int done" ns_sign_tcp_init void *k const u_char *querysig int querysiglen "ns_tcp_tsig_state *state" u_char *msg int *msglen void *k const u_char *querysig int querysiglen u_char *sig int *siglen time_t in_timesigned int nostrip ns_verify_tcp u_char *msg int *msglen ns_tcp_tsig_state *state "int required" ns_verify_tcp_init void *k const u_char *querysig int querysiglen "ns_tcp_tsig_state *state" ns_find_tsig u_char *msg u_char *eom
DESCRIPTION
The TSIG routines are used to implement transaction/request security of DNS messages.
ns_sign and ns_verify are the basic routines. ns_sign_tcp and ns_verify_tcp are used to sign/verify TCP messages that may be split into multiple packets, such as zone transfers, and ns_sign_tcp_init , ns_verify_tcp_init initialize the state structure necessary for TCP operations. ns_find_tsig locates the TSIG record in a message, if one is present.
ns_sign
- msg
- the incoming DNS message, which will be modified
- msglen
- the length of the DNS message, on input and output
- msgsize
- the size of the buffer containing the DNS message on input
- error
- the value to be placed in the TSIG error field
- key
- the (DST_KEY *) to sign the data
- querysig
- for a response, the signature contained in the query
- querysiglen
- the length of the query signature
- sig
- a buffer to be filled with the generated signature
- siglen
- the length of the signature buffer on input, the signature length on output
ns_sign_tcp
- msg
- the incoming DNS message, which will be modified
- msglen
- the length of the DNS message, on input and output
- msgsize
- the size of the buffer containing the DNS message on input
- error
- the value to be placed in the TSIG error field
- state
- the state of the operation
- done
- non-zero value signifies that this is the last packet
ns_sign_tcp_init
- k
- the (DST_KEY *) to sign the data
- querysig
- for a response, the signature contained in the query
- querysiglen
- the length of the query signature
- state
- the state of the operation, which this initializes
ns_verify
- msg
- the incoming DNS message, which will be modified
- msglen
- the length of the DNS message, on input and output
- key
- the (DST_KEY *) to sign the data
- querysig
- for a response, the signature contained in the query
- querysiglen
- the length of the query signature
- sig
- a buffer to be filled with the signature contained
- siglen
- the length of the signature buffer on input, the signature length on output
- nostrip
- non-zero value means that the TSIG is left intact
ns_verify_tcp
- msg
- the incoming DNS message, which will be modified
- msglen
- the length of the DNS message, on input and output
- state
- the state of the operation
- required
- non-zero value signifies that a TSIG record must be present at this step
ns_verify_tcp_init
- k
- the (DST_KEY *) to verify the data
- querysig
- for a response, the signature contained in the query
- querysiglen
- the length of the query signature
- state
- the state of the operation, which this initializes
ns_find_tsig
- msg
- the incoming DNS message
- msglen
- the length of the DNS message
RETURN VALUES
returns a pointer to the TSIG record if one is found, and NULL otherwise.
All other routines return 0 on success, modifying arguments when necessary.
ns_sign and ns_sign_tcp return the following errors:
- (-1)
- bad input data
- (-ns_r_badkey)
- The key was invalid, or the signing failed
- NS_TSIG_ERROR_NO_SPACE
- the message buffer is too small.
ns_verify and ns_verify_tcp return the following errors:
- (-1)
- bad input data
- NS_TSIG_ERROR_FORMERR
- The message is malformed
- NS_TSIG_ERROR_NO_TSIG
- The message does not contain a TSIG record
- NS_TSIG_ERROR_ID_MISMATCH
- The TSIG original ID field does not match the message ID
- (-ns_r_badkey)
- Verification failed due to an invalid key
- (-ns_r_badsig)
- Verification failed due to an invalid signature
- (-ns_r_badtime)
- Verification failed due to an invalid timestamp
- ns_r_badkey
- Verification succeeded but the message had an error of BADKEY
- ns_r_badsig
- Verification succeeded but the message had an error of BADSIG
- ns_r_badtime
- Verification succeeded but the message had an error of BADTIME
SEE ALSO
AUTHORS
Brian Wellington, TISLabs at Network Associates