.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" ======================================================================== .\" .IX Title "Net::DNS::RR::TSIG 3pm" .TH Net::DNS::RR::TSIG 3pm "2020-11-20" "perl v5.32.0" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Net::DNS::RR::TSIG \- DNS TSIG resource record .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 2 \& use Net::DNS; \& $tsig = Net::DNS::RR::TSIG\->create( $keyfile ); \& \& $tsig = Net::DNS::RR::TSIG\->create( $keyfile, \& fudge => 300 \& ); .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" Class for \s-1DNS\s0 Transaction Signature (\s-1TSIG\s0) resource records. .SH "METHODS" .IX Header "METHODS" The available methods are those inherited from the base class augmented by the type-specific methods defined in this package. .PP Use of undocumented package features or direct access to internal data structures is discouraged and could result in program termination or other unpredictable behaviour. .SS "algorithm" .IX Subsection "algorithm" .Vb 2 \& $algorithm = $rr\->algorithm; \& $rr\->algorithm( $algorithm ); .Ve .PP A domain name which specifies the name of the algorithm. .SS "key" .IX Subsection "key" .Vb 1 \& $rr\->key( $key ); .Ve .PP Base64 representation of the key material. .SS "keybin" .IX Subsection "keybin" .Vb 1 \& $rr\->keybin( $keybin ); .Ve .PP Binary representation of the key material. .SS "time_signed" .IX Subsection "time_signed" .Vb 2 \& $time_signed = $rr\->time_signed; \& $rr\->time_signed( $time_signed ); .Ve .PP Signing time as the number of seconds since 1 Jan 1970 00:00:00 \s-1UTC.\s0 The default signing time is the current time. .SS "fudge" .IX Subsection "fudge" .Vb 2 \& $fudge = $rr\->fudge; \& $rr\->fudge( $fudge ); .Ve .PP \&\*(L"fudge\*(R" represents the permitted error in the signing time. The default fudge is 300 seconds. .SS "mac" .IX Subsection "mac" .Vb 1 \& $rr\->mac( $mac ); .Ve .PP Message authentication code (\s-1MAC\s0). The programmer must call the Net::DNS::Packet \fBdata()\fR object method before this will return anything meaningful. .SS "macbin" .IX Subsection "macbin" .Vb 2 \& $macbin = $rr\->macbin; \& $rr\->macbin( $macbin ); .Ve .PP Binary message authentication code (\s-1MAC\s0). .SS "prior_mac" .IX Subsection "prior_mac" .Vb 2 \& $prior_mac = $rr\->prior_mac; \& $rr\->prior_mac( $prior_mac ); .Ve .PP Prior message authentication code (\s-1MAC\s0). .SS "prior_macbin" .IX Subsection "prior_macbin" .Vb 2 \& $prior_macbin = $rr\->prior_macbin; \& $rr\->prior_macbin( $prior_macbin ); .Ve .PP Binary prior message authentication code. .SS "request_mac" .IX Subsection "request_mac" .Vb 2 \& $request_mac = $rr\->request_mac; \& $rr\->request_mac( $request_mac ); .Ve .PP Request message authentication code (\s-1MAC\s0). .SS "request_macbin" .IX Subsection "request_macbin" .Vb 2 \& $request_macbin = $rr\->request_macbin; \& $rr\->request_macbin( $request_macbin ); .Ve .PP Binary request message authentication code. .SS "original_id" .IX Subsection "original_id" .Vb 2 \& $original_id = $rr\->original_id; \& $rr\->original_id( $original_id ); .Ve .PP The message \s-1ID\s0 from the header of the original packet. .SS "error" .IX Subsection "error" .SS "vrfyerrstr" .IX Subsection "vrfyerrstr" .Vb 1 \& $rcode = $tsig\->error; .Ve .PP Returns the \s-1RCODE\s0 covering \s-1TSIG\s0 processing. Common values are \&\s-1NOERROR, BADSIG, BADKEY,\s0 and \s-1BADTIME.\s0 See RFC2845\-bis for details. .SS "other" .IX Subsection "other" .Vb 1 \& $other = $tsig\->other; .Ve .PP This field should be empty unless the error is \s-1BADTIME,\s0 in which case it will contain the server time as the number of seconds since 1 Jan 1970 00:00:00 \s-1UTC.\s0 .SS "sig_function" .IX Subsection "sig_function" .Vb 2 \& sub signing_function { \& my ( $keybin, $data ) = @_; \& \& my $hmac = Digest::HMAC\->new( $keybin, \*(AqDigest::MD5\*(Aq ); \& $hmac\->add( $data ); \& return $hmac\->digest; \& } \& \& $tsig\->sig_function( \e&signing_function ); .Ve .PP This sets the signing function to be used for this \s-1TSIG\s0 record. The default signing function is \s-1HMAC\-MD5.\s0 .SS "sig_data" .IX Subsection "sig_data" .Vb 1 \& $sigdata = $tsig\->sig_data($packet); .Ve .PP Returns the packet packed according to RFC2845\-bis in a form for signing. This is only needed if you want to supply an external signing function, such as is needed for TSIG-GSS. .SS "create" .IX Subsection "create" .Vb 1 \& $tsig = Net::DNS::RR::TSIG\->create( $keyfile ); \& \& $tsig = Net::DNS::RR::TSIG\->create( $keyfile, \& fudge => 300 \& ); .Ve .PP Returns a \s-1TSIG RR\s0 constructed using the parameters in the specified key file, which is assumed to have been generated by tsig-keygen. .SS "verify" .IX Subsection "verify" .Vb 2 \& $verify = $tsig\->verify( $data ); \& $verify = $tsig\->verify( $packet ); \& \& $verify = $tsig\->verify( $reply, $query ); \& \& $verify = $tsig\->verify( $packet, $prior ); .Ve .PP The boolean verify method will return true if the hash over the packet data conforms to the data in the \s-1TSIG\s0 itself .SH "TSIG Keys" .IX Header "TSIG Keys" The \s-1TSIG\s0 authentication mechanism employs shared secret keys to establish a trust relationship between two entities. .PP It should be noted that it is possible for more than one key to be in use simultaneously between any such pair of entities. .PP \&\s-1TSIG\s0 keys are generated using the tsig-keygen utility distributed with \s-1ISC BIND:\s0 .PP .Vb 1 \& tsig\-keygen \-a HMAC\-SHA256 host1\-host2.example. .Ve .PP Other algorithms may be substituted for \s-1HMAC\-SHA256\s0 in the above example. .PP These keys must be protected in a manner similar to private keys, lest a third party masquerade as one of the intended parties by forging the message authentication code (\s-1MAC\s0). .SH "Configuring BIND Nameserver" .IX Header "Configuring BIND Nameserver" The generated key must be added to the /etc/named.conf configuration or a separate file introduced by the \f(CW$INCLUDE\fR directive: .PP .Vb 4 \& key "host1\-host2.example. { \& algorithm hmac\-sha256; \& secret "Secret+known+only+by+participating+entities="; \& }; .Ve .SH "ACKNOWLEDGMENT" .IX Header "ACKNOWLEDGMENT" Most of the code in the Net::DNS::RR::TSIG module was contributed by Chris Turbeville. .PP Support for external signing functions was added by Andrew Tridgell. .PP \&\s-1TSIG\s0 verification, \s-1BIND\s0 keyfile handling and support for \s-1HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384\s0 and \s-1HMAC\-SHA512\s0 functions was added by Dick Franks. .SH "BUGS" .IX Header "BUGS" A 32\-bit representation of time is used, contrary to \s-1RFC2845\s0 which demands 48 bits. This design decision will need to be reviewed before the code stops working on 7 February 2106. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (c)2000,2001 Michael Fuhr. .PP Portions Copyright (c)2002,2003 Chris Reinhardt. .PP Portions Copyright (c)2013,2020 Dick Franks. .PP All rights reserved. .PP Package template (c)2009,2012 O.M.Kolkman and R.W.Franks. .SH "LICENSE" .IX Header "LICENSE" Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of the author not be used in advertising or publicity pertaining to distribution of the software without specific prior written permission. .PP \&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" perl, Net::DNS, Net::DNS::RR, RFC2845\-bis, \s-1RFC4635\s0 .PP \&\s-1TSIG\s0 Algorithm Names