ns_sign

, ns_sign_tcp

, ns_sign_tcp_init

, ns_verify

, ns_verify_tcp

, ns_verify_tcp_init

, ns_find_tsig

- TSIG system

Synopsis

cc [ flag... ] file... -lresolv -lsocket -lnsl [ library...]
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

int ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
     const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
     time_t in_timesigned);

int ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
     ns_tcp_tsig_state *state, int done);

int ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
     ns_tcp_tsig_state *state);

int ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
     int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
     int nostrip);

int ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
     int required);

int ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
     ns_tcp_tsig_state *state);

u_char *ns_find_tsig(u_char *msg, u_char *eom);

Parameters

ns_sign()

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

msgsize

the size of the buffer containing the DNS message on input

error

the value to be placed in the TSIG error field

k

the (DST_KEY *) to sign the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

sig

a buffer to be filled with the generated signature

siglen

the length of the signature buffer on input, the signature length on output

ns_sign_tcp()

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

msgsize

the size of the buffer containing the DNS message on input

error

the value to be placed in the TSIG error field

state

the state of the operation

done

non-zero value signifies that this is the last packet

ns_sign_tcp_init()

k

the (DST_KEY *) to sign the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

state

the state of the operation, which this initializes

ns_verify()

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

k

the (DST_KEY *) to sign the data

querysig

for a response, the signature contained in the query

querysiglen

the length of the query signature

sig

a buffer to be filled with the signature contained

siglen

the length of the signature buffer on input, the signature length on output

nostrip

non-zero value means that the TSIG is left intact

ns_verify_tcp()

msg

the incoming DNS message, which will be modified

msglen

the length of the DNS message, on input and output

state

the state of the operation

required

non-zero value signifies that a TSIG record must be present at this step

ns_verify_tcp_init()

k

the (DST_KEY *) to verify the dat

querysig

for a response, the signature contained in the quer

querysiglen

the length of the query signature

state

the state of the operation, which this initializes

ns_find_tsig()

msg

the incoming DNS messag

eom

the length of the DNS message

Description

The TSIG functions are used to implement transaction/request security of DNS messages.

The ns_sign() and ns_verify() functions are the basic routines. The ns_sign_tcp() and ns_verify_tcp() functions are used to sign/verify TCP messages that may be split into multiple packets, such as zone transfers. The ns_sign_tcp_init() and ns_verify_tcp_init() functions initialize the state structure necessary for TCP operations. The ns_find_tsig() function locates the TSIG record in a message if one is present.

Return Values

The ns_find_tsig() function returns a pointer to the TSIG record if one is found, and NULL otherwise.

All other functions return 0 on success, modifying arguments when necessary.

The ns_sign() and ns_sign_tcp() functions return the following values:

-1

bad input data

-ns_r_badkey

The key was invalid or the signing failed.

NS_TSIG_ERROR_NO_SPACE

The message buffer is too small.

The ns_verify() and ns_verify_tcp() functions return the following values:

-1

bad input data

NS_TSIG_ERROR_FORMERR

The message is malformed.

NS_TSIG_ERROR_NO_TSIG

The message does not contain a TSIG record.

NS_TSIG_ERROR_ID_MISMATCH

The TSIG original ID field does not match the message ID.

-ns_r_badkey

Verification failed due to an invalid key.

-ns_r_badsig

Verification failed due to an invalid signature.

-ns_r_badtime

Verification failed due to an invalid timestamp.

ns_r_badkey

Verification succeeded but the message had an error of BADKEY.

ns_r_badsig

Verification succeeded but the message had an error of BADSIG.

ns_r_badtime

Verification succeeded but the message had an error of BADTIME.

Attributes

See attributes(5) for descriptions of the following attributes:

See Also

resolver(3RESOLV), attributes(5)