TSIG(2)                    UNIX Programmer's Manual                    TSIG(2)

NAME
     ns_sign, ns_sign_tcp, ns_sign_tcp_init, ns_verify, ns_verify_tcp,
     ns_verify_tcp_init, ns_find_tsig - TSIG system

SYNOPSIS
     int
     ns_sign(u_char *msg, int *msglen, int msgsize, int error, void *k,
             const u_char *querysig, int querysiglen, u_char *sig,
             int *siglen, time_t in_timesigned)

     int
     ns_sign_tcp(u_char *msg, int *msglen, int msgsize, int error,
             ns_tcp_tsig_state *state, int done)

     int
     ns_sign_tcp_init(void *k, const u_char *querysig, int querysiglen,
             ns_tcp_tsig_state *state)

     int
     ns_verify(u_char *msg, int *msglen, void *k, const u_char *querysig,
             int querysiglen, u_char *sig, int *siglen, time_t in_timesigned,
             int nostrip)

     int
     ns_verify_tcp(u_char *msg, int *msglen, ns_tcp_tsig_state *state,
             int required)

     int
     ns_verify_tcp_init(void *k, const u_char *querysig, int querysiglen,
             ns_tcp_tsig_state *state)

     u_char *
     ns_find_tsig(u_char *msg, u_char *eom)

DESCRIPTION
     The TSIG routines are used to implement transaction/request security of
     DNS messages.

     ns_sign() and ns_verify() are the basic routines.  ns_sign_tcp() and
     ns_verify_tcp() are used to sign/verify TCP messages that may be split
     into multiple packets, such as zone transfers, and ns_sign_tcp_init,()
     ns_verify_tcp_init() initialize the state structure necessary for TCP op-
     erations.  ns_find_tsig() locates the TSIG record in a message, if one is
     present.

     ns_sign()
           msg            the incoming DNS message, which will be modified
           msglen         the length of the DNS message, on input and output
           msgsize        the size of the buffer containing the DNS message on
                          input
           error          the value to be placed in the TSIG error field
           key            the (DST_KEY *) to sign the data
           querysig       for a response, the signature contained in the query
           querysiglen    the length of the query signature
           sig            a buffer to be filled with the generated signature
           siglen         the length of the signature buffer on input, the
                          signature length on output

     ns_sign_tcp()
           msg            the incoming DNS message, which will be modified
           msglen         the length of the DNS message, on input and output
           msgsize        the size of the buffer containing the DNS message on
                          input
           error          the value to be placed in the TSIG error field
           state          the state of the operation
           done           non-zero value signifies that this is the last pack-
                          et

     ns_sign_tcp_init()
           k              the (DST_KEY *) to sign the data
           querysig       for a response, the signature contained in the query
           querysiglen    the length of the query signature
           state          the state of the operation, which this initializes

     ns_verify()
           msg            the incoming DNS message, which will be modified
           msglen         the length of the DNS message, on input and output
           key            the (DST_KEY *) to sign the data
           querysig       for a response, the signature contained in the query
           querysiglen    the length of the query signature
           sig            a buffer to be filled with the signature contained
           siglen         the length of the signature buffer on input, the
                          signature length on output
           nostrip        non-zero value means that the TSIG is left intact

     ns_verify_tcp()
           msg            the incoming DNS message, which will be modified
           msglen         the length of the DNS message, on input and output
           state          the state of the operation
           required       non-zero value signifies that a TSIG record must be
                          present at this step

     ns_verify_tcp_init()
           k              the (DST_KEY *) to verify the data
           querysig       for a response, the signature contained in the query
           querysiglen    the length of the query signature
           state          the state of the operation, which this initializes

     ns_find_tsig()
           msg            the incoming DNS message
           msglen         the length of the DNS message

RETURN VALUES
     ns_find_tsig() returns a pointer to the TSIG record if one is found, and
     NULL otherwise.

     All other routines return 0 on success, modifying arguments when neces-
     sary.

     ns_sign() and ns_sign_tcp() return the following errors:
           (-1)                    bad input data
           (-ns_r_badkey)          The key was invalid, or the signing failed
           NS_TSIG_ERROR_NO_SPACE  the message buffer is too small.

     ns_verify() and ns_verify_tcp() return the following errors:
           (-1)                    bad input data
           NS_TSIG_ERROR_FORMERR   The message is malformed
           NS_TSIG_ERROR_NO_TSIG   The message does not contain a TSIG record
           NS_TSIG_ERROR_ID_MISMATCH
                                   The TSIG original ID field does not match
                                   the message ID
           (-ns_r_badkey)          Verification failed due to an invalid key
           (-ns_r_badsig)          Verification failed due to an invalid sig-
                                   nature
           (-ns_r_badtime)         Verification failed due to an invalid
                                   timestamp
           ns_r_badkey             Verification succeeded but the message had
                                   an error of BADKEY
           ns_r_badsig             Verification succeeded but the message had
                                   an error of BADSIG
           ns_r_badtime            Verification succeeded but the message had
                                   an error of BADTIME

SEE ALSO
     resolver(3).

AUTHORS
     Brian Wellington, TISLabs at Network Associates

4th Berkeley Distribution       January 1, 1996                              1