Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
TSIG				     LOCAL				  TSIG

NAME
     ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify,	ns_verify_tcp,
     ns_verify_tcp_init, ns_find_tsig -- TSIG system

SYNOPSIS
     int
     ns_sign(u_char *msg, int *msglen, int msgsize, int	error, void *k,
	 const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
	 time_t	in_timesigned);

     int
     ns_sign_tcp(u_char	*msg, int *msglen, int msgsize,	int error,
	 ns_tcp_tsig_state *state, int done);

     int
     ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
	 ns_tcp_tsig_state *state);

     int
     ns_verify(u_char *msg, int	*msglen, void *k, const	u_char *querysig,
	 int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
	 int nostrip);

     int
     ns_verify_tcp(u_char *msg,	int *msglen, ns_tcp_tsig_state *state,
	 int required);

     int
     ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
	 ns_tcp_tsig_state *state);

     u_char *
     ns_find_tsig(u_char *msg, u_char *eom);

DESCRIPTION
     The TSIG routines are used	to implement transaction/request security of
     DNS messages.

     ns_sign() and ns_verify() are the basic routines.	ns_sign_tcp() and
     ns_verify_tcp() are used to sign/verify TCP messages that may be split
     into multiple packets, such as zone transfers, and	ns_sign_tcp_init(),
     ns_verify_tcp_init() initialize the state structure necessary for TCP op-
     erations.	ns_find_tsig() locates the TSIG	record in a message, if	one is
     present.

     ns_sign()
	   msg		  the incoming DNS message, which will be modified
	   msglen	  the length of	the DNS	message, on input and output
	   msgsize	  the size of the buffer containing the	DNS message on
			  input
	   error	  the value to be placed in the	TSIG error field
	   key		  the (DST_KEY *) to sign the data
	   querysig	  for a	response, the signature	contained in the query
	   querysiglen	  the length of	the query signature
	   sig		  a buffer to be filled	with the generated signature
	   siglen	  the length of	the signature buffer on	input, the
			  signature length on output

     ns_sign_tcp()
	   msg		  the incoming DNS message, which will be modified
	   msglen	  the length of	the DNS	message, on input and output
	   msgsize	  the size of the buffer containing the	DNS message on
			  input
	   error	  the value to be placed in the	TSIG error field
	   state	  the state of the operation
	   done		  non-zero value signifies that	this is	the last
			  packet

     ns_sign_tcp_init()
	   k		  the (DST_KEY *) to sign the data
	   querysig	  for a	response, the signature	contained in the query
	   querysiglen	  the length of	the query signature
	   state	  the state of the operation, which this initializes

     ns_verify()
	   msg		  the incoming DNS message, which will be modified
	   msglen	  the length of	the DNS	message, on input and output
	   key		  the (DST_KEY *) to sign the data
	   querysig	  for a	response, the signature	contained in the query
	   querysiglen	  the length of	the query signature
	   sig		  a buffer to be filled	with the signature contained
	   siglen	  the length of	the signature buffer on	input, the
			  signature length on output
	   nostrip	  non-zero value means that the	TSIG is	left intact

     ns_verify_tcp()
	   msg		  the incoming DNS message, which will be modified
	   msglen	  the length of	the DNS	message, on input and output
	   state	  the state of the operation
	   required	  non-zero value signifies that	a TSIG record must be
			  present at this step

     ns_verify_tcp_init()
	   k		  the (DST_KEY *) to verify the	data
	   querysig	  for a	response, the signature	contained in the query
	   querysiglen	  the length of	the query signature
	   state	  the state of the operation, which this initializes

     ns_find_tsig()
	   msg		  the incoming DNS message
	   msglen	  the length of	the DNS	message

RETURN VALUES
     ns_find_tsig() returns a pointer to the TSIG record if one	is found, and
     NULL otherwise.

     All other routines	return 0 on success, modifying arguments when neces-
     sary.

     ns_sign() and ns_sign_tcp() return	the following errors:
	   (-1)			   bad input data
	   (-ns_r_badkey)	   The key was invalid,	or the signing failed
	   NS_TSIG_ERROR_NO_SPACE  the message buffer is too small.

     ns_verify() and ns_verify_tcp() return the	following errors:
	   (-1)			   bad input data
	   NS_TSIG_ERROR_FORMERR   The message is malformed
	   NS_TSIG_ERROR_NO_TSIG   The message does not	contain	a TSIG record
	   NS_TSIG_ERROR_ID_MISMATCH
				   The TSIG original ID	field does not match
				   the message ID
	   (-ns_r_badkey)	   Verification	failed due to an invalid key
	   (-ns_r_badsig)	   Verification	failed due to an invalid sig-
				   nature
	   (-ns_r_badtime)	   Verification	failed due to an invalid time-
				   stamp
	   ns_r_badkey		   Verification	succeeded but the message had
				   an error of BADKEY
	   ns_r_badsig		   Verification	succeeded but the message had
				   an error of BADSIG
	   ns_r_badtime		   Verification	succeeded but the message had
				   an error of BADTIME

SEE ALSO
     resolver(3).

AUTHORS
     Brian Wellington, TISLabs at Network Associates

4th Berkeley Distribution	January	1, 1996	     4th Berkeley Distribution

NAME | SYNOPSIS | DESCRIPTION | RETURN VALUES | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=tsig&sektion=3&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help