"ns_tcp_tsig_state *state" "int done" ns_sign_tcp_init void *k const u_char *querysig int querysiglen "ns_tcp_tsig_state *state" u_char *msg int *msglen void *k const u_char *querysig int querysiglen u_char *sig int *siglen time_t in_timesigned int nostrip ns_verify_tcp u_char *msg int *msglen ns_tcp_tsig_state *state "int required" ns_verify_tcp_init void *k const u_char *querysig int querysiglen "ns_tcp_tsig_state *state" ns_find_tsig u_char *msg u_char *eom

The TSIG routines are used to implement transaction/request security of DNS messages.

ns_sign and ns_verify are the basic routines. ns_sign_tcp and ns_verify_tcp are used to sign/verify TCP messages that may be split into multiple packets, such as zone transfers, and ns_sign_tcp_init , ns_verify_tcp_init initialize the state structure necessary for TCP operations. ns_find_tsig locates the TSIG record in a message, if one is present.

ns_sign

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

msgsize

the size of the buffer containing the DNS message on input

error

the value to be placed in the TSIG error field

key

the (DST_KEY *) to sign the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

sig

a buffer to be filled with the generated signature

siglen

the length of the signature buffer on input, the signature length on output

ns_sign_tcp

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

msgsize

the size of the buffer containing the DNS message on input

error

the value to be placed in the TSIG error field

state

the state of the operation

done

non-zero value signifies that this is the last packet

ns_sign_tcp_init

k

the (DST_KEY *) to sign the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

state

the state of the operation, which this initializes

ns_verify

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

key

the (DST_KEY *) to sign the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

sig

a buffer to be filled with the signature contained

siglen

the length of the signature buffer on input, the signature length on output

nostrip

non-zero value means that the TSIG is left intact

ns_verify_tcp

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

state

the state of the operation

required

non-zero value signifies that a TSIG record must be present at this step

ns_verify_tcp_init

k

the (DST_KEY *) to verify the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

state

the state of the operation, which this initializes

ns_find_tsig

msg

the incoming DNS message

msglen

the length of the DNS message

returns a pointer to the TSIG record if one is found, and NULL otherwise.

All other routines return 0 on success, modifying arguments when necessary.

ns_sign and ns_sign_tcp return the following errors:

(-1)

bad input data

(-ns_r_badkey)

The key was invalid, or the signing failed

NS_TSIG_ERROR_NO_SPACE

the message buffer is too small.

ns_verify and ns_verify_tcp return the following errors:

(-1)

bad input data

NS_TSIG_ERROR_FORMERR

The message is malformed

NS_TSIG_ERROR_NO_TSIG

The message does not contain a TSIG record

NS_TSIG_ERROR_ID_MISMATCH

The TSIG original ID field does not match the message ID

(-ns_r_badkey)

Verification failed due to an invalid key

(-ns_r_badsig)

Verification failed due to an invalid signature

(-ns_r_badtime)

Verification failed due to an invalid timestamp

ns_r_badkey

Verification succeeded but the message had an error of BADKEY

ns_r_badsig

Verification succeeded but the message had an error of BADSIG

ns_r_badtime

Verification succeeded but the message had an error of BADTIME

Brian Wellington, TISLabs at Network Associates