xref: /netbsd-src/external/bsd/libbind/dist/doc/tsig.cat3 (revision 5bbd2a12505d72a8177929a37b5cee489d0a1cfd) 
1b5677b36SchristosTSIG                                 LOCAL                                TSIG
2b5677b36Schristos
3b5677b36SchristosNNAAMMEE
4b5677b36Schristos     nnss__ssiiggnn, nnss__ssiiggnn__ttccpp, nnss__ssiiggnn__ttccpp__iinniitt, nnss__vveerriiffyy, nnss__vveerriiffyy__ttccpp,
5*5bbd2a12Schristos     nnss__vveerriiffyy__ttccpp__iinniitt, nnss__ffiinndd__ttssiigg -- TSIG system
6b5677b36Schristos
7b5677b36SchristosSSYYNNOOPPSSIISS
8b5677b36Schristos     _i_n_t
9b5677b36Schristos     nnss__ssiiggnn(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _i_n_t _m_s_g_s_i_z_e, _i_n_t _e_r_r_o_r, _v_o_i_d _*_k,
10*5bbd2a12Schristos         _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, _i_n_t _q_u_e_r_y_s_i_g_l_e_n, _u___c_h_a_r _*_s_i_g, _i_n_t _*_s_i_g_l_e_n,
11*5bbd2a12Schristos         _t_i_m_e___t _i_n___t_i_m_e_s_i_g_n_e_d);
12b5677b36Schristos
13b5677b36Schristos     _i_n_t
14b5677b36Schristos     nnss__ssiiggnn__ttccpp(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _i_n_t _m_s_g_s_i_z_e, _i_n_t _e_r_r_o_r,
15b5677b36Schristos         _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e, _i_n_t _d_o_n_e);
16b5677b36Schristos
17b5677b36Schristos     _i_n_t
18b5677b36Schristos     nnss__ssiiggnn__ttccpp__iinniitt(_v_o_i_d _*_k, _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, _i_n_t _q_u_e_r_y_s_i_g_l_e_n,
19b5677b36Schristos         _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e);
20b5677b36Schristos
21b5677b36Schristos     _i_n_t
22b5677b36Schristos     nnss__vveerriiffyy(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _v_o_i_d _*_k, _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g,
23b5677b36Schristos         _i_n_t _q_u_e_r_y_s_i_g_l_e_n, _u___c_h_a_r _*_s_i_g, _i_n_t _*_s_i_g_l_e_n, _t_i_m_e___t _i_n___t_i_m_e_s_i_g_n_e_d,
24b5677b36Schristos         _i_n_t _n_o_s_t_r_i_p);
25b5677b36Schristos
26b5677b36Schristos     _i_n_t
27b5677b36Schristos     nnss__vveerriiffyy__ttccpp(_u___c_h_a_r _*_m_s_g, _i_n_t _*_m_s_g_l_e_n, _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e,
28b5677b36Schristos         _i_n_t _r_e_q_u_i_r_e_d);
29b5677b36Schristos
30b5677b36Schristos     _i_n_t
31b5677b36Schristos     nnss__vveerriiffyy__ttccpp__iinniitt(_v_o_i_d _*_k, _c_o_n_s_t _u___c_h_a_r _*_q_u_e_r_y_s_i_g, _i_n_t _q_u_e_r_y_s_i_g_l_e_n,
32b5677b36Schristos         _n_s___t_c_p___t_s_i_g___s_t_a_t_e _*_s_t_a_t_e);
33b5677b36Schristos
34b5677b36Schristos     _u___c_h_a_r _*
35b5677b36Schristos     nnss__ffiinndd__ttssiigg(_u___c_h_a_r _*_m_s_g, _u___c_h_a_r _*_e_o_m);
36b5677b36Schristos
37b5677b36SchristosDDEESSCCRRIIPPTTIIOONN
38b5677b36Schristos     The TSIG routines are used to implement transaction/request security of
39b5677b36Schristos     DNS messages.
40b5677b36Schristos
41b5677b36Schristos     nnss__ssiiggnn() and nnss__vveerriiffyy() are the basic routines.  nnss__ssiiggnn__ttccpp() and
42b5677b36Schristos     nnss__vveerriiffyy__ttccpp() are used to sign/verify TCP messages that may be split
43b5677b36Schristos     into multiple packets, such as zone transfers, and nnss__ssiiggnn__ttccpp__iinniitt(),
44b5677b36Schristos     nnss__vveerriiffyy__ttccpp__iinniitt() initialize the state structure necessary for TCP
45b5677b36Schristos     operations.  nnss__ffiinndd__ttssiigg() locates the TSIG record in a message, if one
46b5677b36Schristos     is present.
47b5677b36Schristos
48b5677b36Schristos     nnss__ssiiggnn()
49b5677b36Schristos           msg            the incoming DNS message, which will be modified
50b5677b36Schristos           msglen         the length of the DNS message, on input and output
51b5677b36Schristos           msgsize        the size of the buffer containing the DNS message on
52b5677b36Schristos                          input
53b5677b36Schristos           error          the value to be placed in the TSIG error field
54b5677b36Schristos           key            the (DST_KEY *) to sign the data
55b5677b36Schristos           querysig       for a response, the signature contained in the query
56b5677b36Schristos           querysiglen    the length of the query signature
57b5677b36Schristos           sig            a buffer to be filled with the generated signature
58b5677b36Schristos           siglen         the length of the signature buffer on input, the
59b5677b36Schristos                          signature length on output
60b5677b36Schristos
61b5677b36Schristos     nnss__ssiiggnn__ttccpp()
62b5677b36Schristos           msg            the incoming DNS message, which will be modified
63b5677b36Schristos           msglen         the length of the DNS message, on input and output
64b5677b36Schristos           msgsize        the size of the buffer containing the DNS message on
65b5677b36Schristos                          input
66b5677b36Schristos           error          the value to be placed in the TSIG error field
67b5677b36Schristos           state          the state of the operation
68b5677b36Schristos           done           non-zero value signifies that this is the last
69b5677b36Schristos                          packet
70b5677b36Schristos
71b5677b36Schristos     nnss__ssiiggnn__ttccpp__iinniitt()
72b5677b36Schristos           k              the (DST_KEY *) to sign the data
73b5677b36Schristos           querysig       for a response, the signature contained in the query
74b5677b36Schristos           querysiglen    the length of the query signature
75b5677b36Schristos           state          the state of the operation, which this initializes
76b5677b36Schristos
77b5677b36Schristos     nnss__vveerriiffyy()
78b5677b36Schristos           msg            the incoming DNS message, which will be modified
79b5677b36Schristos           msglen         the length of the DNS message, on input and output
80b5677b36Schristos           key            the (DST_KEY *) to sign the data
81b5677b36Schristos           querysig       for a response, the signature contained in the query
82b5677b36Schristos           querysiglen    the length of the query signature
83b5677b36Schristos           sig            a buffer to be filled with the signature contained
84b5677b36Schristos           siglen         the length of the signature buffer on input, the
85b5677b36Schristos                          signature length on output
86b5677b36Schristos           nostrip        non-zero value means that the TSIG is left intact
87b5677b36Schristos
88b5677b36Schristos     nnss__vveerriiffyy__ttccpp()
89b5677b36Schristos           msg            the incoming DNS message, which will be modified
90b5677b36Schristos           msglen         the length of the DNS message, on input and output
91b5677b36Schristos           state          the state of the operation
92b5677b36Schristos           required       non-zero value signifies that a TSIG record must be
93b5677b36Schristos                          present at this step
94b5677b36Schristos
95b5677b36Schristos     nnss__vveerriiffyy__ttccpp__iinniitt()
96b5677b36Schristos           k              the (DST_KEY *) to verify the data
97b5677b36Schristos           querysig       for a response, the signature contained in the query
98b5677b36Schristos           querysiglen    the length of the query signature
99b5677b36Schristos           state          the state of the operation, which this initializes
100b5677b36Schristos
101b5677b36Schristos     nnss__ffiinndd__ttssiigg()
102b5677b36Schristos           msg            the incoming DNS message
103b5677b36Schristos           msglen         the length of the DNS message
104b5677b36Schristos
105b5677b36SchristosRREETTUURRNN VVAALLUUEESS
106b5677b36Schristos     nnss__ffiinndd__ttssiigg() returns a pointer to the TSIG record if one is found, and
107b5677b36Schristos     NULL otherwise.
108b5677b36Schristos
109*5bbd2a12Schristos     All other routines return 0 on success, modifying arguments when neces-
110b5677b36Schristos     sary.
111b5677b36Schristos
112b5677b36Schristos     nnss__ssiiggnn() and nnss__ssiiggnn__ttccpp() return the following errors:
113b5677b36Schristos           (-1)                    bad input data
114b5677b36Schristos           (-ns_r_badkey)          The key was invalid, or the signing failed
115b5677b36Schristos           NS_TSIG_ERROR_NO_SPACE  the message buffer is too small.
116b5677b36Schristos
117b5677b36Schristos     nnss__vveerriiffyy() and nnss__vveerriiffyy__ttccpp() return the following errors:
118b5677b36Schristos           (-1)                    bad input data
119b5677b36Schristos           NS_TSIG_ERROR_FORMERR   The message is malformed
120b5677b36Schristos           NS_TSIG_ERROR_NO_TSIG   The message does not contain a TSIG record
121b5677b36Schristos           NS_TSIG_ERROR_ID_MISMATCH
122b5677b36Schristos                                   The TSIG original ID field does not match
123b5677b36Schristos                                   the message ID
124b5677b36Schristos           (-ns_r_badkey)          Verification failed due to an invalid key
125*5bbd2a12Schristos           (-ns_r_badsig)          Verification failed due to an invalid sig-
126b5677b36Schristos                                   nature
127*5bbd2a12Schristos           (-ns_r_badtime)         Verification failed due to an invalid time-
128*5bbd2a12Schristos                                   stamp
129b5677b36Schristos           ns_r_badkey             Verification succeeded but the message had
130b5677b36Schristos                                   an error of BADKEY
131b5677b36Schristos           ns_r_badsig             Verification succeeded but the message had
132b5677b36Schristos                                   an error of BADSIG
133b5677b36Schristos           ns_r_badtime            Verification succeeded but the message had
134b5677b36Schristos                                   an error of BADTIME
135b5677b36Schristos
136b5677b36SchristosSSEEEE AALLSSOO
137b5677b36Schristos     resolver(3).
138b5677b36Schristos
139b5677b36SchristosAAUUTTHHOORRSS
140b5677b36Schristos     Brian Wellington, TISLabs at Network Associates
141b5677b36Schristos
142b5677b36Schristos4th Berkeley Distribution       January 1, 1996      4th Berkeley Distribution
143