1TSIG                                 LOCAL                                TSIG
2

NAME

4     ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
5     ns_verify_tcp_init, ns_find_tsig — TSIG system
6

SYNOPSIS

8     int
9     ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
10         const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
11         time_t in_timesigned);
12
13     int
14     ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
15         ns_tcp_tsig_state *state, int done);
16
17     int
18     ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
19         ns_tcp_tsig_state *state);
20
21     int
22     ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
23         int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
24         int nostrip);
25
26     int
27     ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
28         int required);
29
30     int
31     ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
32         ns_tcp_tsig_state *state);
33
34     u_char *
35     ns_find_tsig(u_char *msg, u_char *eom);
36

DESCRIPTION

38     The TSIG routines are used to implement transaction/request security of
39     DNS messages.
40
41     ns_sign() and ns_verify() are the basic routines.  ns_sign_tcp() and
42     ns_verify_tcp() are used to sign/verify TCP messages that may be split
43     into multiple packets, such as zone transfers, and ns_sign_tcp_init(),
44     ns_verify_tcp_init() initialize the state structure necessary for TCP
45     operations.  ns_find_tsig() locates the TSIG record in a message, if one
46     is present.
47
48     ns_sign()
49           msg            the incoming DNS message, which will be modified
50           msglen         the length of the DNS message, on input and output
51           msgsize        the size of the buffer containing the DNS message on
52                          input
53           error          the value to be placed in the TSIG error field
54           key            the (DST_KEY *) to sign the data
55           querysig       for a response, the signature contained in the query
56           querysiglen    the length of the query signature
57           sig            a buffer to be filled with the generated signature
58           siglen         the length of the signature buffer on input, the
59                          signature length on output
60
61     ns_sign_tcp()
62           msg            the incoming DNS message, which will be modified
63           msglen         the length of the DNS message, on input and output
64           msgsize        the size of the buffer containing the DNS message on
65                          input
66           error          the value to be placed in the TSIG error field
67           state          the state of the operation
68           done           non-zero value signifies that this is the last
69                          packet
70
71     ns_sign_tcp_init()
72           k              the (DST_KEY *) to sign the data
73           querysig       for a response, the signature contained in the query
74           querysiglen    the length of the query signature
75           state          the state of the operation, which this initializes
76
77     ns_verify()
78           msg            the incoming DNS message, which will be modified
79           msglen         the length of the DNS message, on input and output
80           key            the (DST_KEY *) to sign the data
81           querysig       for a response, the signature contained in the query
82           querysiglen    the length of the query signature
83           sig            a buffer to be filled with the signature contained
84           siglen         the length of the signature buffer on input, the
85                          signature length on output
86           nostrip        non-zero value means that the TSIG is left intact
87
88     ns_verify_tcp()
89           msg            the incoming DNS message, which will be modified
90           msglen         the length of the DNS message, on input and output
91           state          the state of the operation
92           required       non-zero value signifies that a TSIG record must be
93                          present at this step
94
95     ns_verify_tcp_init()
96           k              the (DST_KEY *) to verify the data
97           querysig       for a response, the signature contained in the query
98           querysiglen    the length of the query signature
99           state          the state of the operation, which this initializes
100
101     ns_find_tsig()
102           msg            the incoming DNS message
103           msglen         the length of the DNS message
104

RETURN VALUES

106     ns_find_tsig() returns a pointer to the TSIG record if one is found, and
107     NULL otherwise.
108
109     All other routines return 0 on success, modifying arguments when neces‐
110     sary.
111
112     ns_sign() and ns_sign_tcp() return the following errors:
113           (-1)                    bad input data
114           (-ns_r_badkey)          The key was invalid, or the signing failed
115           NS_TSIG_ERROR_NO_SPACE  the message buffer is too small.
116
117     ns_verify() and ns_verify_tcp() return the following errors:
118           (-1)                    bad input data
119           NS_TSIG_ERROR_FORMERR   The message is malformed
120           NS_TSIG_ERROR_NO_TSIG   The message does not contain a TSIG record
121           NS_TSIG_ERROR_ID_MISMATCH
122                                   The TSIG original ID field does not match
123                                   the message ID
124           (-ns_r_badkey)          Verification failed due to an invalid key
125           (-ns_r_badsig)          Verification failed due to an invalid sig‐
126                                   nature
127           (-ns_r_badtime)         Verification failed due to an invalid time‐
128                                   stamp
129           ns_r_badkey             Verification succeeded but the message had
130                                   an error of BADKEY
131           ns_r_badsig             Verification succeeded but the message had
132                                   an error of BADSIG
133           ns_r_badtime            Verification succeeded but the message had
134                                   an error of BADTIME
135

SEE ALSO

137     resolver(3).
138

AUTHORS

140     Brian Wellington, TISLabs at Network Associates
141
1424th Berkeley Distribution       January 1, 1996      4th Berkeley Distribution
Impressum