Module Dns_tsig

DNS TSIG signatures

As specified by RFC 2845

val sign : Dns.Tsig_op.sign

sign ~mac ~max_size name tsig ~key packet buffer signs the given buffer with the provided key, its name, the tsig. The mac argument is expected when a reply to a signed DNS packet should be signed. If signing fails, an error may be produced. The result is a buffer and a mac.

val verify : Dns.Tsig_op.verify

verify ~mac now packet name ~key tsig buffer verifies the buffer using the provided tsig, key and name.

type s = [
  1. | `Key_algorithm of Dns.Dnskey.t
  2. | `Tsig_creation
  3. | `Sign
]

The type for signing errors.

val pp_s : s Fmt.t

pp_s ppf s pretty-prints s on ppf.

val encode_and_sign : ?proto:Dns.proto -> ?mac:string -> Dns.Packet.t -> Ptime.t -> Dns.Dnskey.t -> 'a Domain_name.t -> (string * string, s) Stdlib.result

encode_and_sign ~proto ~mac t now dnskey name signs and encodes the DNS packet. If a reply to a request is signed, the mac argument should be the message authentication code from the request (needed to sign the reply). The returned value is the encoded byte buffer and the mac of the packet (useful for passing into decode_and_verify when receiving a reply to the signed request).

type e = [
  1. | `Decode of Dns.Packet.err
  2. | `Unsigned of Dns.Packet.t
  3. | `Crypto of Dns.Tsig_op.e
  4. | `Invalid_key of [ `raw ] Domain_name.t * [ `raw ] Domain_name.t
]

The type for decode and verify errors.

val pp_e : e Fmt.t

pp_e ppf e prety-prints e on ppf.

val decode_and_verify : Ptime.t -> Dns.Dnskey.t -> 'a Domain_name.t -> ?mac:string -> string -> (Dns.Packet.t * Dns.Tsig.t * string, e) Stdlib.result

decode_and_verify now dnskey name ~mac buffer decodes and verifies the given buffer using the key material, resulting in a DNS packet, a signature, and the mac, or a failure. The optional mac argument should be provided if an answer to a signed DNS packet is to be decoded.