TSIG(@SYSCALL_EXT@) LOCAL TSIG(@SYSCALL_EXT@) NAME ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp, ns_verify_tcp_init, ns_find_tsig - TSIG system SYNOPSIS ___ ns_sign(______ ____, ___ _______, ___ _______, ___ _____, ____ __, _____ ______ _________, ___ ___________, ______ ____, ___ _______, ______ _____________) ___ ns_sign_tcp(______ ____, ___ _______, ___ _______, ___ _____, _________________ ______, ___ ____) ___ ns_sign_tcp_init(____ __, _____ ______ _________, ___ ___________, _________________ ______) ___ ns_verify(______ ____, ___ _______, ____ __, _____ ______ _________, ___ ___________, ______ ____, ___ _______, ______ _____________, ___ _______) ___ ns_verify_tcp(______ ____, ___ _______, _________________ ______, ___ ________) ___ ns_verify_tcp_init(____ __, _____ ______ _________, ___ ___________, _________________ ______) ______ _ ns_find_tsig(______ ____, ______ ____) DESCRIPTION The TSIG routines are used to implement transaction/request security of DNS messages. ns_sign() and ns_verify() are the basic routines. ns_sign_tcp() and ns_verify_tcp() are used to sign/verify TCP messages that may be split into multiple packets, such as zone transfers, and ns_sign_tcp_init,() ns_verify_tcp_init() initialize the state structure necessary for TCP op- erations. ns_find_tsig() locates the TSIG record in a message, if one is present. ns_sign() msg the incoming DNS message, which will be modified msglen the length of the DNS message, on input and output msgsize the size of the buffer containing the DNS message on input error the value to be placed in the TSIG error field key the (DST_KEY *) to sign the data querysig for a response, the signature contained in the query querysiglen the length of the query signature sig a buffer to be filled with the generated signature siglen the length of the signature buffer on input, the signature length on output ns_sign_tcp() msg the incoming DNS message, which will be modified msglen the length of the DNS message, on input and output msgsize the size of the buffer containing the DNS message on input error the value to be placed in the TSIG error field state the state of the operation done non-zero value signifies that this is the last pack- et ns_sign_tcp_init() k the (DST_KEY *) to sign the data querysig for a response, the signature contained in the query querysiglen the length of the query signature state the state of the operation, which this initializes ns_verify() msg the incoming DNS message, which will be modified msglen the length of the DNS message, on input and output key the (DST_KEY *) to sign the data querysig for a response, the signature contained in the query querysiglen the length of the query signature sig a buffer to be filled with the signature contained siglen the length of the signature buffer on input, the signature length on output nostrip non-zero value means that the TSIG is left intact ns_verify_tcp() msg the incoming DNS message, which will be modified msglen the length of the DNS message, on input and output state the state of the operation required non-zero value signifies that a TSIG record must be present at this step ns_verify_tcp_init() k the (DST_KEY *) to verify the data querysig for a response, the signature contained in the query querysiglen the length of the query signature state the state of the operation, which this initializes ns_find_tsig() msg the incoming DNS message msglen the length of the DNS message RETURN VALUES ns_find_tsig() returns a pointer to the TSIG record if one is found, and NULL otherwise. All other routines return 0 on success, modifying arguments when neces- sary. ns_sign() and ns_sign_tcp() return the following errors: (-1) bad input data (-ns_r_badkey) The key was invalid, or the signing failed NS_TSIG_ERROR_NO_SPACE the message buffer is too small. ns_verify() and ns_verify_tcp() return the following errors: (-1) bad input data NS_TSIG_ERROR_FORMERR The message is malformed NS_TSIG_ERROR_NO_TSIG The message does not contain a TSIG record NS_TSIG_ERROR_ID_MISMATCH The TSIG original ID field does not match the message ID (-ns_r_badkey) Verification failed due to an invalid key (-ns_r_badsig) Verification failed due to an invalid sig- nature (-ns_r_badtime) Verification failed due to an invalid timestamp ns_r_badkey Verification succeeded but the message had an error of BADKEY ns_r_badsig Verification succeeded but the message had an error of BADSIG ns_r_badtime Verification succeeded but the message had an error of BADTIME SEE ALSO resolver(3). AUTHORS Brian Wellington, TISLabs at Network Associates 4th Berkeley Distribution January 1, 1996 3