Module domain::tsig

source ·
Available on crate feature tsig only.
Expand description

Support for TSIG.

This module provides high-level support for signing message exchanges with TSIG as defined in RFC 2845.

TSIG is intended to provide authentication for message exchanges. Messages are signed using a secret key shared between the two participants. The party sending the request – the client – generates a signature over the message it is about to send using that key and adds it in a special record of record type TSIG to the additional section of the message. The receiver of the request – the server – verifies the signature using the same key. When creating an answer, it too generates a signature. It includes the request’s signture in this process in order to bind request and answer together. This signature ends up in a TSIG record in the additional section as well and can be verified by the client.

TSIG supports a number of algorithms for boths signature generation; it even allows for private algorithms. The specification requires to support at least HMAC-MD5 defined in RFC 2104. Since MD5 is widely regarded as unsafe now, we don’t follow that rule and only support the SHA-based algorithms from [RFC 4653]. You can choose the algorithm to use for your keys via the Algorithm enum.

Keys are managed via the Key type. While technically the actual octets of the key can be used with any algorithm, we tie together a key and the algorithm to use it for. In additiona, each key also has a name, which is in fact a domain name. Key values also manage the signature truncation that is allowed in a future version of the specification.

Finally, there are four types for dealing with message exchanges secured with TSIG. For regular transactions that consist of a request and a single message, the types ClientTransaction and ServerTransaction implement the client and server role, respectively. If the answer can consist of a sequence of messages, such as in AXFR, ClientSequence and ServerSequence can be used instead.

For the server transaction and sequence, there is one more thing you need: a KeyStore, which tries to find the key used by the client. As this is a trait, you may need to implement that your particular use case. There is implementations for a hash map as well as a single key (the latter mostly for testing).




  • A type that stores TSIG secret keys.

Type Aliases