Trait domain::validate::RrsigExt

source ·
pub trait RrsigExt {
    // Required methods
    fn signed_data<N: ToDname, D, B: Composer>(
        &self,
        buf: &mut B,
        records: &mut [Record<N, D>]
    ) -> Result<(), B::AppendError>
       where D: CanonicalOrd + ComposeRecordData + Sized + RecordData;
    fn verify_signed_data(
        &self,
        dnskey: &Dnskey<impl AsRef<[u8]>>,
        signed_data: &impl AsRef<[u8]>
    ) -> Result<(), AlgorithmError>;
}
Available on crate feature validate only.
Expand description

Extensions for DNSKEY record type.

Required Methods§

source

fn signed_data<N: ToDname, D, B: Composer>( &self, buf: &mut B, records: &mut [Record<N, D>] ) -> Result<(), B::AppendError>

Compose the signed data according to RC4035, Section 5.3.2.

   Once the RRSIG RR has met the validity requirements described in
   Section 5.3.1, the validator has to reconstruct the original signed
   data.  The original signed data includes RRSIG RDATA (excluding the
   Signature field) and the canonical form of the RRset.  Aside from
   being ordered, the canonical form of the RRset might also differ from
   the received RRset due to DNS name compression, decremented TTLs, or
   wildcard expansion.
source

fn verify_signed_data( &self, dnskey: &Dnskey<impl AsRef<[u8]>>, signed_data: &impl AsRef<[u8]> ) -> Result<(), AlgorithmError>

Attempt to use the cryptographic signature to authenticate the signed data, and thus authenticate the RRSET. The signed data is expected to be calculated as per RFC4035, Section 5.3.2.

RFC4035, Section 5.3.2:

5.3.3.  Checking the Signature

   Once the resolver has validated the RRSIG RR as described in Section
   5.3.1 and reconstructed the original signed data as described in
   Section 5.3.2, the validator can attempt to use the cryptographic
   signature to authenticate the signed data, and thus (finally!)
   authenticate the RRset.

   The Algorithm field in the RRSIG RR identifies the cryptographic
   algorithm used to generate the signature.  The signature itself is
   contained in the Signature field of the RRSIG RDATA, and the public
   key used to verify the signature is contained in the Public Key field
   of the matching DNSKEY RR(s) (found in Section 5.3.1).  [RFC4034]
   provides a list of algorithm types and provides pointers to the
   documents that define each algorithm's use.

Object Safety§

This trait is not object safe.

Implementors§

source§

impl<Octets: AsRef<[u8]>, Name: ToDname> RrsigExt for Rrsig<Octets, Name>