.\" Automatically generated by Pod::Man 4.07 (Pod::Simple 3.32) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .if !\nF .nr F 0 .if \nF>0 \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} .\} .\" ======================================================================== .\" .IX Title "Net::DNS::RR::SIG 3pm" .TH Net::DNS::RR::SIG 3pm "2017-01-01" "perl v5.24.1" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Net::DNS::RR::SIG \- DNS SIG resource record .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 4 \& use Net::DNS; \& $rr = new Net::DNS::RR(\*(Aqname SIG typecovered algorithm labels \& orgttl sigexpiration siginception \& keytag signame signature\*(Aq); \& \& use Net::DNS::SEC; \& $sigrr = create Net::DNS::RR::SIG( $string, $keypath, \& sigval => 10 # minutes \& ); \& \& $sigrr\->verify( $string, $keyrr ) || die $sigrr\->vrfyerrstr; \& $sigrr\->verify( $packet, $keyrr ) || die $sigrr\->vrfyerrstr; .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" Class for \s-1DNS\s0 digital signature (\s-1SIG\s0) resource records. .PP In addition to the regular methods inherited from Net::DNS::RR the class contains a method to sign packets and scalar data strings using private keys (create) and a method for verifying signatures. .PP The \s-1SIG RR\s0 is an implementation of \s-1RFC2931. \s0 See Net::DNS::RR::RRSIG for an implementation of \s-1RFC4034.\s0 .SH "METHODS" .IX Header "METHODS" The available methods are those inherited from the base class augmented by the type-specific methods defined in this package. .PP Use of undocumented package features or direct access to internal data structures is discouraged and could result in program termination or other unpredictable behaviour. .SS "algorithm" .IX Subsection "algorithm" .Vb 1 \& $algorithm = $rr\->algorithm; .Ve .PP The algorithm number field identifies the cryptographic algorithm used to create the signature. .PP \&\fIalgorithm()\fR may also be invoked as a class method or simple function to perform mnemonic and numeric code translation. .SS "sigexpiration and siginception times" .IX Subsection "sigexpiration and siginception times" .SS "sigex sigin sigval" .IX Subsection "sigex sigin sigval" .Vb 2 \& $expiration = $rr\->sigexpiration; \& $expiration = $rr\->sigexpiration( $value ); \& \& $inception = $rr\->siginception; \& $inception = $rr\->siginception( $value ); .Ve .PP The signature expiration and inception fields specify a validity time interval for the signature. .PP The value may be specified by a string with format 'yyyymmddhhmmss' or a Perl \fItime()\fR value. .PP Return values are dual-valued, providing either a string value or numerical Perl \fItime()\fR value. .SS "keytag" .IX Subsection "keytag" .Vb 2 \& $keytag = $rr\->keytag; \& $rr\->keytag( $keytag ); .Ve .PP The keytag field contains the key tag value of the \s-1KEY RR\s0 that validates this signature. .SS "signame" .IX Subsection "signame" .Vb 2 \& $signame = $rr\->signame; \& $rr\->signame( $signame ); .Ve .PP The signer name field value identifies the owner name of the \s-1KEY RR\s0 that a validator is supposed to use to validate this signature. .SS "signature" .IX Subsection "signature" .SS "sig" .IX Subsection "sig" .Vb 2 \& $sig = $rr\->sig; \& $rr\->sig( $sig ); .Ve .PP The Signature field contains the cryptographic signature that covers the \s-1SIG RDATA \s0(excluding the Signature field) and the subject data. .SS "sigbin" .IX Subsection "sigbin" .Vb 2 \& $sigbin = $rr\->sigbin; \& $rr\->sigbin( $sigbin ); .Ve .PP Binary representation of the cryptographic signature. .SS "create" .IX Subsection "create" Create a signature over scalar data. .PP .Vb 1 \& use Net::DNS::SEC; \& \& $keypath = \*(Aq/home/olaf/keys/Kbla.foo.+001+60114.private\*(Aq; \& \& $sigrr = create Net::DNS::RR::SIG( $data, $keypath ); \& \& $sigrr = create Net::DNS::RR::SIG( $data, $keypath, \& sigval => 10 \& ); \& $sigrr\->print; \& \& \& # Alternatively use Net::DNS::SEC::Private \& \& $private = Net::DNS::SEC::Private\->new($keypath); \& \& $sigrr= create Net::DNS::RR::SIG( $data, $private ); .Ve .PP \&\fIcreate()\fR is an alternative constructor for a \s-1SIG RR\s0 object. .PP This method returns a \s-1SIG\s0 with the signature over the data made with the private key stored in the key file. .PP The first argument is a scalar that contains the data to be signed. .PP The second argument is a string which specifies the path to a file containing the private key as generated with dnssec-keygen, a program that comes with the \s-1ISC BIND\s0 distribution. .PP The optional remaining arguments consist of ( name => value ) pairs as follows: .PP .Vb 3 \& sigin => 20161201010101, # signature inception \& sigex => 20161201011101, # signature expiration \& sigval => 10, # validity window (minutes) .Ve .PP The sigin and sigex values may be specified as Perl time values or as a string with the format 'yyyymmddhhmmss'. The default for sigin is the time of signing. .PP The sigval argument specifies the signature validity window in minutes ( sigex = sigin + sigval ). .PP By default the signature is valid for 10 minutes. .IP "\(bu" 4 Do not change the name of the file generated by dnssec-keygen, the create method uses the filename as generated by dnssec-keygen to determine the keyowner, algorithm and the keyid (keytag). .SS "verify" .IX Subsection "verify" .Vb 2 \& $verify = $sigrr\->verify( $data, $keyrr ); \& $verify = $sigrr\->verify( $data, [$keyrr, $keyrr2, $keyrr3] ); .Ve .PP The \fIverify()\fR method performs \s-1SIG0\s0 verification of the specified data against the signature contained in the \f(CW$sigrr\fR object itself using the public key in \f(CW$keyrr\fR. .PP If a reference to a Net::DNS::Packet is supplied, the method performs a \s-1SIG0\s0 verification on the packet data. .PP The second argument can either be a Net::DNS::RR::KEYRR object or a reference to an array of such objects. Verification will return successful as soon as one of the keys in the array leads to positive validation. .PP Returns false on error and sets \f(CW$sig\fR\->vrfyerrstr .SS "vrfyerrstr" .IX Subsection "vrfyerrstr" .Vb 2 \& $sig0 = $packet\->sigrr || die \*(Aqnot signed\*(Aq; \& print $sig0\->vrfyerrstr unless $sig0\->verify( $packet, $keyrr ); \& \& $sigrr\->verify( $packet, $keyrr ) || die $sigrr\->vrfyerrstr; .Ve .SH "REMARKS" .IX Header "REMARKS" The code is not optimised for speed. .PP If this code is still around in 2100 (not a leap year) you will need to check for proper handling of times ... .SH "ACKNOWLEDGMENTS" .IX Header "ACKNOWLEDGMENTS" Andy Vaskys (Network Associates Laboratories) supplied the code for handling \s-1RSA\s0 with \s-1SHA1 \s0(Algorithm 5). .PP T.J. Mather, the Crypt::OpenSSL::DSA maintainer, for his quick responses to bug report and feature requests. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (c)2001\-2005 \s-1RIPE NCC, \s0 Olaf M. Kolkman .PP Copyright (c)2007\-2008 NLnet Labs, Olaf M. Kolkman .PP Portions Copyright (c)2014 Dick Franks .PP All rights reserved. .PP Package template (c)2009,2012 O.M.Kolkman and R.W.Franks. .SH "LICENSE" .IX Header "LICENSE" Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of the author not be used in advertising or publicity pertaining to distribution of the software without specific prior written permission. .PP \&\s-1THE SOFTWARE IS PROVIDED \*(L"AS IS\*(R", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC, \&\s-1RFC4034, RFC3755, RFC2535, RFC2931, RFC3110, RFC3008, \&\s0Net::DNS::SEC::DSA, Net::DNS::SEC::RSA .PP Algorithm Numbers .PP \&\s-1BIND 9\s0 Administrator Reference Manual