NAME¶
Net::DNS::RR::RRSIG - DNS RRSIG resource record
SYNOPSIS¶
use Net::DNS;
$rr = new Net::DNS::RR('name RRSIG typecovered algorithm labels
orgttl sigexpiration siginception
keytag signame signature');
$rrsig = create Net::DNS::RR::RRSIG( \@rrset, $keypath,
sigin => 20130701010101
);
$sigrr->verify( \@rrset, $keyrr ) || croak $sigrr->vrfyerrstr;
DESCRIPTION¶
Class for DNS digital signature (RRSIG) resource records.
In addition to the regular methods inherited from Net::DNS::RR the class
contains a method to sign RRsets using private keys (create) and a method for
verifying signatures over RRsets (verify).
The RRSIG RR is an implementation of RFC4034. See Net::DNS::RR::SIG for an
implementation of SIG0 (RFC2931).
METHODS¶
The available methods are those inherited from the base class augmented by the
type-specific methods defined in this package.
Use of undocumented package features or direct access to internal data
structures is discouraged and could result in program termination or other
unpredictable behaviour.
typecovered¶
$typecovered = $rr->typecovered;
The typecovered field identifies the type of the RRset that is covered by this
RRSIG record.
algorithm¶
$algorithm = $rr->algorithm;
The algorithm number field identifies the cryptographic algorithm used to create
the signature.
algorithm() may also be invoked as a class method or simple function to
perform mnemonic and numeric code translation.
labels¶
$labels = $rr->labels;
$rr->labels( $labels );
The labels field specifies the number of labels in the original RRSIG RR owner
name.
orgttl¶
$orgttl = $rr->orgttl;
$rr->orgttl( $orgttl );
The original TTL field specifies the TTL of the covered RRset as it appears in
the authoritative zone.
sigexpiration and siginception time¶
$expiration = $rr->sigexpiration;
$inception = $rr->siginception;
The signature expiration and inception fields specify a validity time interval
for the signature.
The value may be specified by a string with format 'yyyymmddhhmmss' or a Perl
time() value.
keytag¶
$keytag = $rr->keytag;
$rr->keytag( $keytag );
The keytag field contains the key tag value of the DNSKEY RR that validates this
signature.
signame¶
$signame = $rr->signame;
The signer name field value identifies the owner name of the DNSKEY RR that a
validator is supposed to use to validate this signature.
signature¶
$signature = $rr->signature;
The Signature field contains the cryptographic signature that covers the RRSIG
RDATA (excluding the Signature field) and the RRset specified by the RRSIG
owner name, RRSIG class, and RRSIG type covered fields.
sigbin¶
$sigbin = $rr->sigbin;
$rr->sigbin( $sigbin );
Binary representation of the cryptographic signature.
create¶
Create a signature over a RR set.
use Net::DNS::SEC;
$keypath = '/home/olaf/keys/Kbla.foo.+001+60114.private';
$sigrr = create Net::DNS::RR::RRSIG( \@datarrset, $keypath );
$sigrr = create Net::DNS::RR::RRSIG( \@datarrset, $keypath,
sigin => 20130701010101
);
$sigrr->print;
#Alternatively use Net::DNS::SEC::Private
$private = Net::DNS::SEC::Private->new($keypath);
$sigrr= create Net::DNS::RR::RRSIG( \@datarrset, $private );
create() is an alternative constructor for a RRSIG RR object.
This method returns an RRSIG with the signature over the datarrset (an array of
RRs) made with the private key stored in the key file.
The first argument is a reference to an array that contains the RRset that needs
to be signed.
The second argument is a string which specifies the path to a file containing
the private key as generated by dnssec-keygen.
The optional remaining arguments consist of ( name => value ) pairs as
follows:
sigin => 20130701010101, # signature inception
sigex => 20130731010101, # signature expiration
sigval => 30, # signature validity
ttl => 3600 # TTL
The sigin and sigex values may be specified as Perl time values or as a string
with the format 'yyyymmddhhmmss'. The default for sigin is the time of
signing.
The sigval argument specifies the signature validity window in days ( sigex =
sigin + sigval ). Sigval wins if sigex is also specified.
By default the signature is valid for 30 days.
By default the TTL matches the RRSet that is presented for signing.
Only RSA signatures (algorithms 1,5,7,8 and 10) and DSA signatures (algorithms 3
and 6) have been implemented.
verify and vrfyerrstr¶
$sigrr->verify( $dataref, $keyrr ) || croak $sigrr->vrfyerrstr;
$sigrr->verify( $dataref, [$keyrr, $keyrr2, $keyrr3] ) ||
croak $sigrr->vrfyerrstr;
$dataref contains a reference to an array of RR objects and the method verifies
the RRset against the signature contained in the $sigrr object itself using
the public key in $keyrr.
The second argument can either be a Net::DNS::RR::KEYRR object or a reference to
an array of such objects. Verification will return successful as soon as one
of the keys in the array leads to positive validation.
Returns 0 on error and sets $sig->vrfyerrstr
Example¶
print $sigrr->vrfyerrstr unless $sigrr->verify( $rrset, $keyrr );
KEY GENERATION¶
Private key files and corresponding public DNSKEY records are most conveniently
generated using dnssec-keygen, a program that comes with the ISC BIND
distribution.
dnssec-keygen -a 10 -b 2048 -f ksk rsa.example.
dnssec-keygen -a 10 -b 1024 rsa.example.com.
dnssec-keygen -a 14 -f ksk ecdsa.example.
dnssec-keygen -a 14 ecdsa.example.
Do not change the name of the file generated by dnssec-keygen. The create method
uses the filename to determine the keyowner, algorithm and the keyid (keytag).
The code is not optimized for speed. It is probably not suitable to be used for
signing large zones.
If this code is still around in 2100 (not a leapyear) you will need to check for
proper handling of times ...
ACKNOWLEDGMENTS¶
Andy Vaskys (Network Associates Laboratories) supplied the code for handling RSA
with SHA1 (Algorithm 5).
T.J. Mather, <tjmather@tjmather.com>, the Crypt::OpenSSL::DSA maintainer,
for his quick responses to bug report and feature requests.
COPYRIGHT¶
Copyright (c)2001-2005 RIPE NCC, Olaf M. Kolkman
Copyright (c)2007-2008 NLnet Labs, Olaf M. Kolkman
Portions Copyright (c)2014 Dick Franks
All Rights Reserved
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided that
the above copyright notice appear in all copies and that both that copyright
notice and this permission notice appear in supporting documentation, and that
the name of the author not be used in advertising or publicity pertaining to
distribution of the software without specific prior written permission.
THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO EVENT SHALL AUTHOR BE
LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.
SEE ALSO¶
perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC, RFC4034, RFC6840, RFC3755,
Crypt::OpenSSL::DSA, Crypt::OpenSSL::RSA
Algorithm Numbers <
http://www.iana.org/assignments/dns-sec-alg-numbers>
BIND 9 Administrator Reference Manual