Dns_tsig
DNS TSIG signatures
As specified by RFC 2845
val sign : Dns.Tsig_op.sign
sign ~mac ~max_size name tsig ~key packet buffer
signs the given buffer
with the provided key
, its name
, the tsig
. The mac
argument is expected when a reply to a signed DNS packet should be signed. If signing fails, an error may be produced. The result is a buffer and a mac.
val verify : Dns.Tsig_op.verify
verify ~mac now packet name ~key tsig buffer
verifies the buffer
using the provided tsig
, key
and name
.
The type for signing errors.
val pp_s : s Fmt.t
pp_s ppf s
pretty-prints s
on ppf
.
val encode_and_sign :
?proto:Dns.proto ->
?mac:string ->
Dns.Packet.t ->
Ptime.t ->
Dns.Dnskey.t ->
'a Domain_name.t ->
(string * string, s) Stdlib.result
encode_and_sign ~proto ~mac t now dnskey name
signs and encodes the DNS packet. If a reply to a request is signed, the mac
argument should be the message authentication code from the request (needed to sign the reply). The returned value is the encoded byte buffer and the mac of the packet (useful for passing into decode_and_verify
when receiving a reply to the signed request).
type e = [
| `Decode of Dns.Packet.err
| `Unsigned of Dns.Packet.t
| `Crypto of Dns.Tsig_op.e
| `Invalid_key of [ `raw ] Domain_name.t * [ `raw ] Domain_name.t
]
The type for decode and verify errors.
val pp_e : e Fmt.t
pp_e ppf e
prety-prints e
on ppf
.
val decode_and_verify :
Ptime.t ->
Dns.Dnskey.t ->
'a Domain_name.t ->
?mac:string ->
string ->
(Dns.Packet.t * Dns.Tsig.t * string, e) Stdlib.result
decode_and_verify now dnskey name ~mac buffer
decodes and verifies the given buffer using the key material, resulting in a DNS packet, a signature, and the mac
, or a failure. The optional mac
argument should be provided if an answer to a signed DNS packet is to be decoded.