1TSIG LOCAL TSIG
2
4 ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
5 ns_verify_tcp_init, ns_find_tsig — TSIG system
6
8 int
9 ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
10 const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
11 time_t in_timesigned);
12 int
14 ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
15 ns_tcp_tsig_state *state, int done);
16 int
18 ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
19 ns_tcp_tsig_state *state);
20 int
22 ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
23 int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
24 int nostrip);
25 int
27 ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
28 int required);
29 int
31 ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
32 ns_tcp_tsig_state *state);
33 u_char *
35 ns_find_tsig(u_char *msg, u_char *eom);
36
38 The TSIG routines are used to implement transaction/request security of
39 DNS messages.
40 ns_sign() and ns_verify() are the basic routines. ns_sign_tcp() and
42 ns_verify_tcp() are used to sign/verify TCP messages that may be split
43 into multiple packets, such as zone transfers, and ns_sign_tcp_init(),
44 ns_verify_tcp_init() initialize the state structure necessary for TCP
45 operations. ns_find_tsig() locates the TSIG record in a message, if one
46 is present.
47 ns_sign()
49 msg the incoming DNS message, which will be modified
50 msglen the length of the DNS message, on input and output
51 msgsize the size of the buffer containing the DNS message on
52 input
53 error the value to be placed in the TSIG error field
54 key the (DST_KEY *) to sign the data
55 querysig for a response, the signature contained in the query
56 querysiglen the length of the query signature
57 sig a buffer to be filled with the generated signature
58 siglen the length of the signature buffer on input, the
59 signature length on output
60 ns_sign_tcp()
62 msg the incoming DNS message, which will be modified
63 msglen the length of the DNS message, on input and output
64 msgsize the size of the buffer containing the DNS message on
65 input
66 error the value to be placed in the TSIG error field
67 state the state of the operation
68 done non-zero value signifies that this is the last
69 packet
70 ns_sign_tcp_init()
72 k the (DST_KEY *) to sign the data
73 querysig for a response, the signature contained in the query
74 querysiglen the length of the query signature
75 state the state of the operation, which this initializes
76 ns_verify()
78 msg the incoming DNS message, which will be modified
79 msglen the length of the DNS message, on input and output
80 key the (DST_KEY *) to sign the data
81 querysig for a response, the signature contained in the query
82 querysiglen the length of the query signature
83 sig a buffer to be filled with the signature contained
84 siglen the length of the signature buffer on input, the
85 signature length on output
86 nostrip non-zero value means that the TSIG is left intact
87 ns_verify_tcp()
89 msg the incoming DNS message, which will be modified
90 msglen the length of the DNS message, on input and output
91 state the state of the operation
92 required non-zero value signifies that a TSIG record must be
93 present at this step
94 ns_verify_tcp_init()
96 k the (DST_KEY *) to verify the data
97 querysig for a response, the signature contained in the query
98 querysiglen the length of the query signature
99 state the state of the operation, which this initializes
100 ns_find_tsig()
102 msg the incoming DNS message
103 msglen the length of the DNS message
104
106 ns_find_tsig() returns a pointer to the TSIG record if one is found, and
107 NULL otherwise.
108 All other routines return 0 on success, modifying arguments when neces‐
110 sary.
111 ns_sign() and ns_sign_tcp() return the following errors:
113 (-1) bad input data
114 (-ns_r_badkey) The key was invalid, or the signing failed
115 NS_TSIG_ERROR_NO_SPACE the message buffer is too small.
116 ns_verify() and ns_verify_tcp() return the following errors:
118 (-1) bad input data
119 NS_TSIG_ERROR_FORMERR The message is malformed
120 NS_TSIG_ERROR_NO_TSIG The message does not contain a TSIG record
121 NS_TSIG_ERROR_ID_MISMATCH
122 The TSIG original ID field does not match
123 the message ID
124 (-ns_r_badkey) Verification failed due to an invalid key
125 (-ns_r_badsig) Verification failed due to an invalid sig‐
126 nature
127 (-ns_r_badtime) Verification failed due to an invalid time‐
128 stamp
129 ns_r_badkey Verification succeeded but the message had
130 an error of BADKEY
131 ns_r_badsig Verification succeeded but the message had
132 an error of BADSIG
133 ns_r_badtime Verification succeeded but the message had
134 an error of BADTIME
135
137 resolver(3).
138
140 Brian Wellington, TISLabs at Network Associates
1414th Berkeley Distribution January 1, 1996 4th Berkeley Distribution