Computer Science
TSIG(2) UNIX Programmer's Manual TSIG(2)
NAME
ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
ns_verify_tcp_init, ns_find_tsig - TSIG system
SYNOPSIS
int
ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
const u_char *querysig, int querysiglen, u_char *sig,
int *siglen, time_t in_timesigned)
int
ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
ns_tcp_tsig_state *state, int done)
int
ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
ns_tcp_tsig_state *state)
int
ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
int nostrip)
int
ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
int required)
int
ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
ns_tcp_tsig_state *state)
u_char *
ns_find_tsig(u_char *msg, u_char *eom)
DESCRIPTION
The TSIG routines are used to implement transaction/request security of
DNS messages.
ns_sign() and ns_verify() are the basic routines. ns_sign_tcp() and
ns_verify_tcp() are used to sign/verify TCP messages that may be split
into multiple packets, such as zone transfers, and ns_sign_tcp_init,()
ns_verify_tcp_init() initialize the state structure necessary for TCP op-
erations. ns_find_tsig() locates the TSIG record in a message, if one is
present.
ns_sign()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
msgsize the size of the buffer containing the DNS message on
input
error the value to be placed in the TSIG error field
key the (DST_KEY *) to sign the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
sig a buffer to be filled with the generated signature
siglen the length of the signature buffer on input, the
signature length on output
ns_sign_tcp()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
msgsize the size of the buffer containing the DNS message on
input
error the value to be placed in the TSIG error field
state the state of the operation
done non-zero value signifies that this is the last pack-
et
ns_sign_tcp_init()
k the (DST_KEY *) to sign the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
state the state of the operation, which this initializes
ns_verify()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
key the (DST_KEY *) to sign the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
sig a buffer to be filled with the signature contained
siglen the length of the signature buffer on input, the
signature length on output
nostrip non-zero value means that the TSIG is left intact
ns_verify_tcp()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
state the state of the operation
required non-zero value signifies that a TSIG record must be
present at this step
ns_verify_tcp_init()
k the (DST_KEY *) to verify the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
state the state of the operation, which this initializes
ns_find_tsig()
msg the incoming DNS message
msglen the length of the DNS message
RETURN VALUES
ns_find_tsig() returns a pointer to the TSIG record if one is found, and
NULL otherwise.
All other routines return 0 on success, modifying arguments when neces-
sary.
ns_sign() and ns_sign_tcp() return the following errors:
(-1) bad input data
(-ns_r_badkey) The key was invalid, or the signing failed
NS_TSIG_ERROR_NO_SPACE the message buffer is too small.
ns_verify() and ns_verify_tcp() return the following errors:
(-1) bad input data
NS_TSIG_ERROR_FORMERR The message is malformed
NS_TSIG_ERROR_NO_TSIG The message does not contain a TSIG record
NS_TSIG_ERROR_ID_MISMATCH
The TSIG original ID field does not match
the message ID
(-ns_r_badkey) Verification failed due to an invalid key
(-ns_r_badsig) Verification failed due to an invalid sig-
nature
(-ns_r_badtime) Verification failed due to an invalid
timestamp
ns_r_badkey Verification succeeded but the message had
an error of BADKEY
ns_r_badsig Verification succeeded but the message had
an error of BADSIG
ns_r_badtime Verification succeeded but the message had
an error of BADTIME
SEE ALSO
resolver(3).
AUTHORS
Brian Wellington, TISLabs at Network Associates
4th Berkeley Distribution January 1, 1996 1
Back to the index
