ns_sign(3RESOLV) Resolver Library Functions ns_sign(3RESOLV)NAME
ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
ns_verify_tcp_init, ns_find_tsig - TSIG system
SYNOPSIS
cc [ flag... ] file... -lresolv -lsocket -lnsl [ library...]
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
const u_char *querysig, int querysiglen, u_char *sig, int *siglen,
time_t in_timesigned);
int ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
ns_tcp_tsig_state *state, int done);
int ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
ns_tcp_tsig_state *state);
int ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
int nostrip);
int ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
int required);
int ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
ns_tcp_tsig_state *state);
u_char *ns_find_tsig(u_char *msg, u_char *eom);
PARAMETERSns_sign()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
msgsize the size of the buffer containing the DNS message on
input
error the value to be placed in the TSIG error field
k the (DST_KEY *) to sign the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
sig a buffer to be filled with the generated signature
siglen the length of the signature buffer on input, the signa‐
ture length on output
ns_sign_tcp()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
msgsize the size of the buffer containing the DNS message on input
error the value to be placed in the TSIG error field
state the state of the operation
done non-zero value signifies that this is the last packet
ns_sign_tcp_init()
k the (DST_KEY *) to sign the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
state the state of the operation, which this initializes
ns_verify()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
k the (DST_KEY *) to sign the data
querysig for a response, the signature contained in the query
querysiglen the length of the query signature
sig a buffer to be filled with the signature contained
siglen the length of the signature buffer on input, the signa‐
ture length on output
nostrip non-zero value means that the TSIG is left intact
ns_verify_tcp()
msg the incoming DNS message, which will be modified
msglen the length of the DNS message, on input and output
state the state of the operation
required non-zero value signifies that a TSIG record must be present
at this step
ns_verify_tcp_init()
k the (DST_KEY *) to verify the dat
querysig for a response, the signature contained in the quer
querysiglen the length of the query signature
state the state of the operation, which this initializes
ns_find_tsig()
msg the incoming DNS messag
eom the length of the DNS message
DESCRIPTION
The TSIG functions are used to implement transaction/request security
of DNS messages.
The ns_sign() and ns_verify() functions are the basic routines. The
ns_sign_tcp() and ns_verify_tcp() functions are used to sign/verify TCP
messages that may be split into multiple packets, such as zone trans‐
fers. The ns_sign_tcp_init() and ns_verify_tcp_init() functions ini‐
tialize the state structure necessary for TCP operations. The
ns_find_tsig() function locates the TSIG record in a message if one is
present.
RETURN VALUES
The ns_find_tsig() function returns a pointer to the TSIG record if one
is found, and NULL otherwise.
All other functions return 0 on success, modifying arguments when nec‐
essary.
The ns_sign() and ns_sign_tcp() functions return the following values:
-1 bad input data
-ns_r_badkey The key was invalid or the signing failed.
NS_TSIG_ERROR_NO_SPACE The message buffer is too small.
The ns_verify() and ns_verify_tcp() functions return the following val‐
ues:
-1 bad input data
NS_TSIG_ERROR_FORMERR The message is malformed.
NS_TSIG_ERROR_NO_TSIG The message does not contain a TSIG
record.
NS_TSIG_ERROR_ID_MISMATCH The TSIG original ID field does not match
the message ID.
-ns_r_badkey Verification failed due to an invalid key.
-ns_r_badsig Verification failed due to an invalid sig‐
nature.
-ns_r_badtime Verification failed due to an invalid
timestamp.
ns_r_badkey Verification succeeded but the message had
an error of BADKEY.
ns_r_badsig Verification succeeded but the message had
an error of BADSIG.
ns_r_badtime Verification succeeded but the message had
an error of BADTIME.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
├─────────────────────────────┼─────────────────────────────┤
│MT-Level │MT-Safe │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOresolver(3RESOLV), attributes(5)SunOS 5.11 11 Nov 2009 ns_sign(3RESOLV)
