[bind10-dev] Tsig class
Michael Graff
mgraff at isc.org
Fri Feb 26 20:09:19 UTC 2010
I have a very basic start on this, but wanted to pass along my thoughts
before I went too deep inside this.
Tsig algorithms currently defined are: MD5, SHA1, SHA224, SHA256,
SHA384, and SHA512. These are all well-known and I can easily get
source for them. For now, I intend to just embed these inside the Tsig
class and not make them more generic. Even though Francis will
complain, I'm starting with MD5 as I know that one best. :)
My plan was to create a new Tsig(Name, algorithm, key-data) and then use
it to sign messages, something like:
tsig.signMessage(message);
and verify
tsig.verifyMessage(message);
where "message" is a dns::Message. However, I'm not certain about a few
things.
One, the signature is actually added into the message. This means
signMessage() may add stuff that MUST go to the end, so Message needs to
become smarter about Tsig. I'm wondering if I have this backwards, and
this logic should instead go in Message, so it would call Tsig.sign()
and Tsig.verify().
Lastly, Tsig is also the RRType name. Will this lead to confusion if we
have both of these?
isc::dns::Tsig
isc::dns::rdata::TSIG
If so, this will be called TrustedSignature which is what Tsig stands
for. Luckily we don't have to use it many places.
--Michael
More information about the bind10-dev
mailing list