1TSIG LOCAL TSIG 2 3NNAAMMEE 4 nnss__ssiiggnn, nnss__ssiiggnn__ttccpp, nnss__ssiiggnn__ttccpp__iinniitt, nnss__vveerriiffyy, nnss__vveerriiffyy__ttccpp, 5 nnss__vveerriiffyy__ttccpp__iinniitt, nnss__ffiinndd__ttssiigg - TSIG system 6 7SSYYNNOOPPSSIISS 8 _i_n_t 9 nnss__ssiiggnn(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _i_n_t _m_s_g_s_i_z_e, _i_n_t _e_r_r_o_r, _v_o_i_d _*_k, 10 _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, _i_n_t _q_u_e_r_y_s_i_g_l_e_n, _u___c_h_a_r _*_s_i_g, 11 _i_n_t _*_s_i_g_l_e_n, _t_i_m_e___t _i_n___t_i_m_e_s_i_g_n_e_d); 12 13 _i_n_t 14 nnss__ssiiggnn__ttccpp(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _i_n_t _m_s_g_s_i_z_e, _i_n_t _e_r_r_o_r, 15 _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e, _i_n_t _d_o_n_e); 16 17 _i_n_t 18 nnss__ssiiggnn__ttccpp__iinniitt(_v_o_i_d _*_k, _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, _i_n_t _q_u_e_r_y_s_i_g_l_e_n, 19 _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e); 20 21 _i_n_t 22 nnss__vveerriiffyy(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _v_o_i_d _*_k, _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, 23 _i_n_t _q_u_e_r_y_s_i_g_l_e_n, _u___c_h_a_r _*_s_i_g, _i_n_t _*_s_i_g_l_e_n, _t_i_m_e___t _i_n___t_i_m_e_s_i_g_n_e_d, 24 _i_n_t _n_o_s_t_r_i_p); 25 26 _i_n_t 27 nnss__vveerriiffyy__ttccpp(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e, 28 _i_n_t _r_e_q_u_i_r_e_d); 29 30 _i_n_t 31 nnss__vveerriiffyy__ttccpp__iinniitt(_v_o_i_d _*_k, _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, _i_n_t _q_u_e_r_y_s_i_g_l_e_n, 32 _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e); 33 34 _u___c_h_a_r _* 35 nnss__ffiinndd__ttssiigg(_u___c_h_a_r _*_m_s_g, _u___c_h_a_r _*_e_o_m); 36 37DDEESSCCRRIIPPTTIIOONN 38 The TSIG routines are used to implement transaction/request security of 39 DNS messages. 40 41 nnss__ssiiggnn() and nnss__vveerriiffyy() are the basic routines. nnss__ssiiggnn__ttccpp() and 42 nnss__vveerriiffyy__ttccpp() are used to sign/verify TCP messages that may be split 43 into multiple packets, such as zone transfers, and nnss__ssiiggnn__ttccpp__iinniitt(), 44 nnss__vveerriiffyy__ttccpp__iinniitt() initialize the state structure necessary for TCP 45 operations. nnss__ffiinndd__ttssiigg() locates the TSIG record in a message, if one 46 is present. 47 48 nnss__ssiiggnn() 49 msg the incoming DNS message, which will be modified 50 msglen the length of the DNS message, on input and output 51 msgsize the size of the buffer containing the DNS message on 52 input 53 error the value to be placed in the TSIG error field 54 key the (DST_KEY *) to sign the data 55 querysig for a response, the signature contained in the query 56 querysiglen the length of the query signature 57 sig a buffer to be filled with the generated signature 58 siglen the length of the signature buffer on input, the 59 signature length on output 60 61 nnss__ssiiggnn__ttccpp() 62 msg the incoming DNS message, which will be modified 63 msglen the length of the DNS message, on input and output 64 msgsize the size of the buffer containing the DNS message on 65 input 66 error the value to be placed in the TSIG error field 67 state the state of the operation 68 done non-zero value signifies that this is the last 69 packet 70 71 nnss__ssiiggnn__ttccpp__iinniitt() 72 k the (DST_KEY *) to sign the data 73 querysig for a response, the signature contained in the query 74 querysiglen the length of the query signature 75 state the state of the operation, which this initializes 76 77 nnss__vveerriiffyy() 78 msg the incoming DNS message, which will be modified 79 msglen the length of the DNS message, on input and output 80 key the (DST_KEY *) to sign the data 81 querysig for a response, the signature contained in the query 82 querysiglen the length of the query signature 83 sig a buffer to be filled with the signature contained 84 siglen the length of the signature buffer on input, the 85 signature length on output 86 nostrip non-zero value means that the TSIG is left intact 87 88 nnss__vveerriiffyy__ttccpp() 89 msg the incoming DNS message, which will be modified 90 msglen the length of the DNS message, on input and output 91 state the state of the operation 92 required non-zero value signifies that a TSIG record must be 93 present at this step 94 95 nnss__vveerriiffyy__ttccpp__iinniitt() 96 k the (DST_KEY *) to verify the data 97 querysig for a response, the signature contained in the query 98 querysiglen the length of the query signature 99 state the state of the operation, which this initializes 100 101 nnss__ffiinndd__ttssiigg() 102 msg the incoming DNS message 103 msglen the length of the DNS message 104 105RREETTUURRNN VVAALLUUEESS 106 nnss__ffiinndd__ttssiigg() returns a pointer to the TSIG record if one is found, and 107 NULL otherwise. 108 109 All other routines return 0 on success, modifying arguments when neces‐ 110 sary. 111 112 nnss__ssiiggnn() and nnss__ssiiggnn__ttccpp() return the following errors: 113 (-1) bad input data 114 (-ns_r_badkey) The key was invalid, or the signing failed 115 NS_TSIG_ERROR_NO_SPACE the message buffer is too small. 116 117 nnss__vveerriiffyy() and nnss__vveerriiffyy__ttccpp() return the following errors: 118 (-1) bad input data 119 NS_TSIG_ERROR_FORMERR The message is malformed 120 NS_TSIG_ERROR_NO_TSIG The message does not contain a TSIG record 121 NS_TSIG_ERROR_ID_MISMATCH 122 The TSIG original ID field does not match 123 the message ID 124 (-ns_r_badkey) Verification failed due to an invalid key 125 (-ns_r_badsig) Verification failed due to an invalid sig‐ 126 nature 127 (-ns_r_badtime) Verification failed due to an invalid 128 timestamp 129 ns_r_badkey Verification succeeded but the message had 130 an error of BADKEY 131 ns_r_badsig Verification succeeded but the message had 132 an error of BADSIG 133 ns_r_badtime Verification succeeded but the message had 134 an error of BADTIME 135 136SSEEEE AALLSSOO 137 resolver(3). 138 139AAUUTTHHOORRSS 140 Brian Wellington, TISLabs at Network Associates 141 1424th Berkeley Distribution January 1, 1996 4th Berkeley Distribution 143