|
Unix VPS
Support
FAQ
Network
Miscellaneous
|
| TSIG | LOCAL | TSIG |
NAME
ns_sign, ns_sign_tcp,
ns_sign_tcp_init, ns_verify,
ns_verify_tcp,
ns_verify_tcp_init,
ns_find_tsig —
SYNOPSIS
intns_sign(u_char *msg,
int *msglen, int msgsize,
int error, void *k,
const u_char *querysig, int
querysiglen, u_char *sig, int
*siglen, time_t in_timesigned);
int
ns_sign_tcp(u_char
*msg, int *msglen,
int msgsize,
int error,
ns_tcp_tsig_state *state,
int done);
int
ns_sign_tcp_init(void
*k, const u_char
*querysig, int
querysiglen,
ns_tcp_tsig_state
*state);
int
ns_verify(u_char *msg,
int *msglen, void *k,
const u_char *querysig, int
querysiglen, u_char *sig, int
*siglen, time_t in_timesigned,
int nostrip);
int
ns_verify_tcp(u_char
*msg, int *msglen,
ns_tcp_tsig_state *state,
int required);
int
ns_verify_tcp_init(void
*k, const u_char
*querysig, int
querysiglen,
ns_tcp_tsig_state
*state);
u_char *
ns_find_tsig(u_char
*msg, u_char
*eom);
DESCRIPTION
The TSIG routines are used to implement transaction/request security of DNS messages.ns_sign() and
ns_verify() are the basic routines.
ns_sign_tcp() and
ns_verify_tcp() are used to sign/verify TCP messages
that may be split into multiple packets, such as zone transfers, and
ns_sign_tcp_init(),
ns_verify_tcp_init() initialize the state structure
necessary for TCP operations. ns_find_tsig() locates
the TSIG record in a message, if one is present.
ns_sign()
msg- the incoming DNS message, which will be modified
msglen- the length of the DNS message, on input and output
msgsize- the size of the buffer containing the DNS message on input
error- the value to be placed in the TSIG error field
key- the (DST_KEY *) to sign the data
querysig- for a response, the signature contained in the query
querysiglen- the length of the query signature
sig- a buffer to be filled with the generated signature
siglen- the length of the signature buffer on input, the signature length on output
ns_sign_tcp()
msg- the incoming DNS message, which will be modified
msglen- the length of the DNS message, on input and output
msgsize- the size of the buffer containing the DNS message on input
error- the value to be placed in the TSIG error field
state- the state of the operation
done- non-zero value signifies that this is the last packet
ns_sign_tcp_init()
k- the (DST_KEY *) to sign the data
querysig- for a response, the signature contained in the query
querysiglen- the length of the query signature
state- the state of the operation, which this initializes
ns_verify()
msg- the incoming DNS message, which will be modified
msglen- the length of the DNS message, on input and output
key- the (DST_KEY *) to sign the data
querysig- for a response, the signature contained in the query
querysiglen- the length of the query signature
sig- a buffer to be filled with the signature contained
siglen- the length of the signature buffer on input, the signature length on output
nostrip- non-zero value means that the TSIG is left intact
ns_verify_tcp()
ns_verify_tcp_init()
k- the (DST_KEY *) to verify the data
querysig- for a response, the signature contained in the query
querysiglen- the length of the query signature
state- the state of the operation, which this initializes
ns_find_tsig()
RETURN VALUES
ns_find_tsig() returns a pointer to the TSIG record if
one is found, and NULL otherwise.
All other routines return 0 on success, modifying arguments when necessary.
ns_sign() and
ns_sign_tcp() return the following errors:
(-1)- bad input data
(-ns_r_badkey)- The key was invalid, or the signing failed
NS_TSIG_ERROR_NO_SPACE- the message buffer is too small.
ns_verify() and
ns_verify_tcp() return the following errors:
(-1)- bad input data
NS_TSIG_ERROR_FORMERR- The message is malformed
NS_TSIG_ERROR_NO_TSIG- The message does not contain a TSIG record
NS_TSIG_ERROR_ID_MISMATCH- The TSIG original ID field does not match the message ID
(-ns_r_badkey)- Verification failed due to an invalid key
(-ns_r_badsig)- Verification failed due to an invalid signature
(-ns_r_badtime)- Verification failed due to an invalid timestamp
ns_r_badkey- Verification succeeded but the message had an error of BADKEY
ns_r_badsig- Verification succeeded but the message had an error of BADSIG
ns_r_badtime- Verification succeeded but the message had an error of BADTIME
SEE ALSO
resolver(3).AUTHORS
Brian Wellington, TISLabs at Network Associates| January 1, 1996 | BSD 4 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.