pub struct TSIG { /* private fields */ }Available on crate feature
dnssec only.Expand description
RFC 8945, Secret Key Transaction Authentication for DNS
4.2. TSIG Record Format
The fields of the TSIG RR are described below. All multi-octet
integers in the record are sent in network byte order (see
Section 2.3.2 of [RFC1035]).
NAME: The name of the key used, in domain name syntax. The name
should reflect the names of the hosts and uniquely identify the
key among a set of keys these two hosts may share at any given
time. For example, if hosts A.site.example and B.example.net
share a key, possibilities for the key name include
<id>.A.site.example, <id>.B.example.net, and
<id>.A.site.example.B.example.net. It should be possible for more
than one key to be in simultaneous use among a set of interacting
hosts. This allows for periodic key rotation as per best
operational practices, as well as algorithm agility as indicated
by [RFC7696].
The name may be used as a local index to the key involved, but it
is recommended that it be globally unique. Where a key is just
shared between two hosts, its name actually need only be
meaningful to them, but it is recommended that the key name be
mnemonic and incorporate the names of participating agents or
resources as suggested above.
TYPE: This MUST be TSIG (250: Transaction SIGnature).
CLASS: This MUST be ANY.
TTL: This MUST be 0.
RDLENGTH: (variable)
RDATA: The RDATA for a TSIG RR consists of a number of fields,
described below:
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Algorithm Name /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Fudge |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MAC Size | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original ID | Error |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Other Len | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The contents of the RDATA fields are:
Algorithm Name:
an octet sequence identifying the TSIG algorithm in the domain
name syntax. (Allowed names are listed in Table 3.) The name is
stored in the DNS name wire format as described in [RFC1034]. As
per [RFC3597], this name MUST NOT be compressed.
Time Signed:
an unsigned 48-bit integer containing the time the message was
signed as seconds since 00:00 on 1970-01-01 UTC, ignoring leap
seconds.
Fudge:
an unsigned 16-bit integer specifying the allowed time difference
in seconds permitted in the Time Signed field.
MAC Size:
an unsigned 16-bit integer giving the length of the MAC field in
octets. Truncation is indicated by a MAC Size less than the size
of the keyed hash produced by the algorithm specified by the
Algorithm Name.
MAC:
a sequence of octets whose contents are defined by the TSIG
algorithm used, possibly truncated as specified by the MAC Size.
The length of this field is given by the MAC Size. Calculation of
the MAC is detailed in Section 4.3.
Original ID:
an unsigned 16-bit integer holding the message ID of the original
request message. For a TSIG RR on a request, it is set equal to
the DNS message ID. In a TSIG attached to a response -- or in
cases such as the forwarding of a dynamic update request -- the
field contains the ID of the original DNS request.
Error:
in responses, an unsigned 16-bit integer containing the extended
RCODE covering TSIG processing. In requests, this MUST be zero.
Other Len:
an unsigned 16-bit integer specifying the length of the Other Data
field in octets.
Other Data:
additional data relevant to the TSIG record. In responses, this
will be empty (i.e., Other Len will be zero) unless the content of
the Error field is BADTIME, in which case it will be a 48-bit
unsigned integer containing the server's current time as the
number of seconds since 00:00 on 1970-01-01 UTC, ignoring leap
seconds (see Section 5.2.3). This document assigns no meaning to
its contents in requests.
Implementations§
source§impl TSIG
impl TSIG
sourcepub fn new(
algorithm: TsigAlgorithm,
time: u64,
fudge: u16,
mac: Vec<u8>,
oid: u16,
error: u16,
other: Vec<u8>
) -> Self
pub fn new( algorithm: TsigAlgorithm, time: u64, fudge: u16, mac: Vec<u8>, oid: u16, error: u16, other: Vec<u8> ) -> Self
Constructs a new TSIG
RFC 8945, Secret Key Transaction Authentication for DNS
4.1. TSIG RR Type
To provide secret key authentication, we use an RR type whose
mnemonic is TSIG and whose type code is 250. TSIG is a meta-RR and
MUST NOT be cached. TSIG RRs are used for authentication between DNS
entities that have established a shared secret key. TSIG RRs are
dynamically computed to cover a particular DNS transaction and are
not DNS RRs in the usual sense.
As the TSIG RRs are related to one DNS request/response, there is no
value in storing or retransmitting them; thus, the TSIG RR is
discarded once it has been used to authenticate a DNS message.
sourcepub fn algorithm(&self) -> &TsigAlgorithm
pub fn algorithm(&self) -> &TsigAlgorithm
Returns the algorithm used for the authentication code
sourcepub fn emit_tsig_for_mac(
&self,
encoder: &mut BinEncoder<'_>,
key_name: &Name
) -> ProtoResult<()>
pub fn emit_tsig_for_mac( &self, encoder: &mut BinEncoder<'_>, key_name: &Name ) -> ProtoResult<()>
Emit TSIG RR and RDATA as used for computing MAC
4.3.3. TSIG Variables
Also included in the digest is certain information present in the
TSIG RR. Adding this data provides further protection against an
attempt to interfere with the message.
+============+================+====================================+
| Source | Field Name | Notes |
+============+================+====================================+
| TSIG RR | NAME | Key name, in canonical wire format |
+------------+----------------+------------------------------------+
| TSIG RR | CLASS | MUST be ANY |
+------------+----------------+------------------------------------+
| TSIG RR | TTL | MUST be 0 |
+------------+----------------+------------------------------------+
| TSIG RDATA | Algorithm Name | in canonical wire format |
+------------+----------------+------------------------------------+
| TSIG RDATA | Time Signed | in network byte order |
+------------+----------------+------------------------------------+
| TSIG RDATA | Fudge | in network byte order |
+------------+----------------+------------------------------------+
| TSIG RDATA | Error | in network byte order |
+------------+----------------+------------------------------------+
| TSIG RDATA | Other Len | in network byte order |
+------------+----------------+------------------------------------+
| TSIG RDATA | Other Data | exactly as transmitted |
+------------+----------------+------------------------------------+
Trait Implementations§
source§impl BinEncodable for TSIG
impl BinEncodable for TSIG
source§fn emit(&self, encoder: &mut BinEncoder<'_>) -> ProtoResult<()>
fn emit(&self, encoder: &mut BinEncoder<'_>) -> ProtoResult<()>
Write the RData from the given Encoder
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Algorithm Name /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Time Signed +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | Fudge |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| MAC Size | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ MAC /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Original ID | Error |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Other Len | /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Other Data /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
source§impl<'de> Deserialize<'de> for TSIG
impl<'de> Deserialize<'de> for TSIG
source§fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>where
__D: Deserializer<'de>,
Deserialize this value from the given Serde deserializer. Read more
source§impl PartialEq for TSIG
impl PartialEq for TSIG
source§impl RecordData for TSIG
impl RecordData for TSIG
source§fn try_from_rdata(data: RData) -> Result<Self, RData>
fn try_from_rdata(data: RData) -> Result<Self, RData>
Attempts to convert to this RecordData from the RData type, if it is not the correct type the original is returned
source§fn try_borrow(data: &RData) -> Option<&Self>
fn try_borrow(data: &RData) -> Option<&Self>
Attempts to borrow this RecordData from the RData type, if it is not the correct type the original is returned
source§fn record_type(&self) -> RecordType
fn record_type(&self) -> RecordType
Get the associated RecordType for the RecordData
source§fn into_rdata(self) -> RData
fn into_rdata(self) -> RData
Converts this RecordData into generic RecordData
impl Eq for TSIG
impl StructuralPartialEq for TSIG
Auto Trait Implementations§
impl Freeze for TSIG
impl RefUnwindSafe for TSIG
impl Send for TSIG
impl Sync for TSIG
impl Unpin for TSIG
impl UnwindSafe for TSIG
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more
source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
source§impl<Q, K> Equivalent<K> for Q
impl<Q, K> Equivalent<K> for Q
source§fn equivalent(&self, key: &K) -> bool
fn equivalent(&self, key: &K) -> bool
Compare self to
key and return true if they are equal.