Trait domain::validate::RrsigExt

pub trait RrsigExt: Compose {
    fn signed_data<N: ToDname, D: RecordData, B: OctetsBuilder>(
        &self, 
        buf: &mut B, 
        records: &mut [Record<N, D>]
    ) -> Result<(), ShortBuf>
    where
        D: CanonicalOrd + Compose + Sized;
    fn verify_signed_data(
        &self, 
        dnskey: &Dnskey<impl AsRef<[u8]>>, 
        signed_data: &impl AsRef<[u8]>
    ) -> Result<(), AlgorithmError>;
}

Extensions for DNSKEY record type.

Required methods

fn signed_data<N: ToDname, D: RecordData, B: OctetsBuilder>(
    &self,
    buf: &mut B,
    records: &mut [Record<N, D>]
) -> Result<(), ShortBuf> where
    D: CanonicalOrd + Compose + Sized, 

Compose the signed data according to RC4035, Section 5.3.2.

   Once the RRSIG RR has met the validity requirements described in
   Section 5.3.1, the validator has to reconstruct the original signed
   data.  The original signed data includes RRSIG RDATA (excluding the
   Signature field) and the canonical form of the RRset.  Aside from
   being ordered, the canonical form of the RRset might also differ from
   the received RRset due to DNS name compression, decremented TTLs, or
   wildcard expansion.

fn verify_signed_data(
    &self,
    dnskey: &Dnskey<impl AsRef<[u8]>>,
    signed_data: &impl AsRef<[u8]>
) -> Result<(), AlgorithmError>

Attempt to use the cryptographic signature to authenticate the signed data, and thus authenticate the RRSET. The signed data is expected to be calculated as per RFC4035, Section 5.3.2.

RFC4035, Section 5.3.2:

5.3.3.  Checking the Signature

   Once the resolver has validated the RRSIG RR as described in Section
   5.3.1 and reconstructed the original signed data as described in
   Section 5.3.2, the validator can attempt to use the cryptographic
   signature to authenticate the signed data, and thus (finally!)
   authenticate the RRset.

   The Algorithm field in the RRSIG RR identifies the cryptographic
   algorithm used to generate the signature.  The signature itself is
   contained in the Signature field of the RRSIG RDATA, and the public
   key used to verify the signature is contained in the Public Key field
   of the matching DNSKEY RR(s) (found in Section 5.3.1).  [RFC4034]
   provides a list of algorithm types and provides pointers to the
   documents that define each algorithm's use.

Loading content...

Implementors

impl<Octets: AsRef<[u8]>, Name: Compose> RrsigExt for Rrsig<Octets, Name>

fn signed_data<N: ToDname, D: RecordData, B: OctetsBuilder>(
    &self,
    buf: &mut B,
    records: &mut [Record<N, D>]
) -> Result<(), ShortBuf> where
    D: CanonicalOrd + Compose + Sized, 

fn verify_signed_data(
    &self,
    dnskey: &Dnskey<impl AsRef<[u8]>>,
    signed_data: &impl AsRef<[u8]>
) -> Result<(), AlgorithmError>

Loading content...