DNS TSIG signatures
As specified by RFC 2845
val sign : Dns.Tsig_op.sign
sign ~mac ~max_size name tsig ~key packet buffer signs the given
buffer with the provided
mac argument is expected when a reply to a signed DNS packet should be signed. If signing fails, an error may be produced. The result is a buffer and a mac.
val verify : Dns.Tsig_op.verify
verify ~mac now packet name ~key tsig buffer verifies the
buffer using the provided
type s = [
`Key_algorithm of Dns.Dnskey.t
The type for signing errors.
val encode_and_sign : ?proto:Dns.proto -> ?mac:Cstruct.t -> Dns.Packet.t -> Ptime.t -> Dns.Dnskey.t -> 'a Domain_name.t -> (Cstruct.t * Cstruct.t, s) result
encode_and_sign ~proto ~mac t now dnskey name signs and encodes the DNS packet. If a reply to a request is signed, the
mac argument should be the message authentication code from the request (needed to sign the reply). The returned value is the encoded byte buffer and the mac of the packet (useful for passing into
decode_and_verify when receiving a reply to the signed request).
type e = [
`Decode of Dns.Packet.err
`Unsigned of Dns.Packet.t
`Crypto of Dns.Tsig_op.e
`Invalid_key of [ `raw ] Domain_name.t * [ `raw ] Domain_name.t
The type for decode and verify errors.
val decode_and_verify : Ptime.t -> Dns.Dnskey.t -> 'a Domain_name.t -> ?mac:Cstruct.t -> Cstruct.t -> (Dns.Packet.t * Dns.Tsig.t * Cstruct.t, e) result
decode_and_verify now dnskey name ~mac buffer decodes and verifies the given buffer using the key material, resulting in a DNS packet, a signature, and the
mac, or a failure. The optional
mac argument should be provided if an answer to a signed DNS packet is to be decoded.