pub struct TSIG { /* private fields */ }
Available on crate feature dnssec only.
Expand description

RFC 8945, Secret Key Transaction Authentication for DNS

  4.2.  TSIG Record Format

  The fields of the TSIG RR are described below.  All multi-octet
  integers in the record are sent in network byte order (see
  Section 2.3.2 of [RFC1035]).

  NAME:  The name of the key used, in domain name syntax.  The name
     should reflect the names of the hosts and uniquely identify the
     key among a set of keys these two hosts may share at any given
     time.  For example, if hosts A.site.example and B.example.net
     share a key, possibilities for the key name include
     <id>.A.site.example, <id>.B.example.net, and
     <id>.A.site.example.B.example.net.  It should be possible for more
     than one key to be in simultaneous use among a set of interacting
     hosts.  This allows for periodic key rotation as per best
     operational practices, as well as algorithm agility as indicated
     by [RFC7696].

     The name may be used as a local index to the key involved, but it
     is recommended that it be globally unique.  Where a key is just
     shared between two hosts, its name actually need only be
     meaningful to them, but it is recommended that the key name be
     mnemonic and incorporate the names of participating agents or
     resources as suggested above.

  TYPE:  This MUST be TSIG (250: Transaction SIGnature).

  CLASS:  This MUST be ANY.

  TTL:  This MUST be 0.

  RDLENGTH:  (variable)

  RDATA:  The RDATA for a TSIG RR consists of a number of fields,
     described below:

                           1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      /                         Algorithm Name                        /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                                                               |
      |          Time Signed          +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |                               |            Fudge              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          MAC Size             |                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+             MAC               /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Original ID          |            Error              |
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
      |          Other Len            |                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+           Other Data          /
      /                                                               /
      +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

  The contents of the RDATA fields are:

  Algorithm Name:
     an octet sequence identifying the TSIG algorithm in the domain
     name syntax.  (Allowed names are listed in Table 3.)  The name is
     stored in the DNS name wire format as described in [RFC1034].  As
     per [RFC3597], this name MUST NOT be compressed.

  Time Signed:
     an unsigned 48-bit integer containing the time the message was
     signed as seconds since 00:00 on 1970-01-01 UTC, ignoring leap
     seconds.

  Fudge:
     an unsigned 16-bit integer specifying the allowed time difference
     in seconds permitted in the Time Signed field.

  MAC Size:
     an unsigned 16-bit integer giving the length of the MAC field in
     octets.  Truncation is indicated by a MAC Size less than the size
     of the keyed hash produced by the algorithm specified by the
     Algorithm Name.

  MAC:
     a sequence of octets whose contents are defined by the TSIG
     algorithm used, possibly truncated as specified by the MAC Size.
     The length of this field is given by the MAC Size.  Calculation of
     the MAC is detailed in Section 4.3.

  Original ID:
     an unsigned 16-bit integer holding the message ID of the original
     request message.  For a TSIG RR on a request, it is set equal to
     the DNS message ID.  In a TSIG attached to a response -- or in
     cases such as the forwarding of a dynamic update request -- the
     field contains the ID of the original DNS request.

  Error:
     in responses, an unsigned 16-bit integer containing the extended
     RCODE covering TSIG processing.  In requests, this MUST be zero.

  Other Len:
     an unsigned 16-bit integer specifying the length of the Other Data
     field in octets.

  Other Data:
     additional data relevant to the TSIG record.  In responses, this
     will be empty (i.e., Other Len will be zero) unless the content of
     the Error field is BADTIME, in which case it will be a 48-bit
     unsigned integer containing the server's current time as the
     number of seconds since 00:00 on 1970-01-01 UTC, ignoring leap
     seconds (see Section 5.2.3).  This document assigns no meaning to
     its contents in requests.

Implementations

Constructs a new TSIG

RFC 8945, Secret Key Transaction Authentication for DNS

4.1.  TSIG RR Type

  To provide secret key authentication, we use an RR type whose
  mnemonic is TSIG and whose type code is 250.  TSIG is a meta-RR and
  MUST NOT be cached.  TSIG RRs are used for authentication between DNS
  entities that have established a shared secret key.  TSIG RRs are
  dynamically computed to cover a particular DNS transaction and are
  not DNS RRs in the usual sense.

  As the TSIG RRs are related to one DNS request/response, there is no
  value in storing or retransmitting them; thus, the TSIG RR is
  discarded once it has been used to authenticate a DNS message.

Returns the Mac in this TSIG

Returns the time this TSIG was generated at

Returns the max delta from time for remote to accept the signature

Returns the algorithm used for the authentication code

Emit TSIG RR and RDATA as used for computing MAC

4.3.3.  TSIG Variables

   Also included in the digest is certain information present in the
   TSIG RR.  Adding this data provides further protection against an
   attempt to interfere with the message.

   +============+================+====================================+
   | Source     | Field Name     | Notes                              |
   +============+================+====================================+
   | TSIG RR    | NAME           | Key name, in canonical wire format |
   +------------+----------------+------------------------------------+
   | TSIG RR    | CLASS          | MUST be ANY                        |
   +------------+----------------+------------------------------------+
   | TSIG RR    | TTL            | MUST be 0                          |
   +------------+----------------+------------------------------------+
   | TSIG RDATA | Algorithm Name | in canonical wire format           |
   +------------+----------------+------------------------------------+
   | TSIG RDATA | Time Signed    | in network byte order              |
   +------------+----------------+------------------------------------+
   | TSIG RDATA | Fudge          | in network byte order              |
   +------------+----------------+------------------------------------+
   | TSIG RDATA | Error          | in network byte order              |
   +------------+----------------+------------------------------------+
   | TSIG RDATA | Other Len      | in network byte order              |
   +------------+----------------+------------------------------------+
   | TSIG RDATA | Other Data     | exactly as transmitted             |
   +------------+----------------+------------------------------------+

Add actual MAC value to existing TSIG record data.

Arguments
  • mac - mac to be stored in this record.

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Formats the value using the given formatter. Read more

Deserialize this value from the given Serde deserializer. Read more

Formats the value using the given formatter. Read more

Feeds this value into the given Hasher. Read more

Feeds a slice of this type into the given Hasher. Read more

This method tests for self and other values to be equal, and is used by ==. Read more

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason. Read more

Serialize this value into the given Serde serializer. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Compare self to key and return true if they are equal.

Returns the argument unchanged.

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more

Instruments this type with the current Span, returning an Instrumented wrapper. Read more

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

Uses borrowed data to replace owned data, usually by cloning. Read more

Converts the given value to a String. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more