RR::RRSIG(3) User Contributed Perl Documentation RR::RRSIG(3)NAMENet::DNS::RR::RRSIG - DNS RRSIG resource record
SYNOPSIS
"use Net::DNS::RR;"
DESCRIPTION
Class for DNS Address (RRSIG) resource records. In addition to the reg-
ular methods in the Net::DNS::RR the Class contains a method to sign
RRsets using private keys (create). And a class for verifying signa-
tures over RRsets (verify).
The RRSIG RR is an implementation of RFC 4034. See Net::DNS::RR::SIG
for an impelementation of SIG0 (RFC 2931).
METHODS
create
Create a signature over a RR set.
my $keypath=
"/home/olaf/keys/Kbla.foo.+001+60114.private";
my $sigrr= create Net::DNS::RR::RRSIG(\@datarrset,
$keypath);
my $sigrr= create Net::DNS::RR::RRSIG(\@datarrset,
$keypath,
%arguments);
$sigrr->print;
#Alternatively use Net::DNS::SEC::Private
my $private=Net::DNS::SEC::Private-new(
"/home/olaf/keys/Kbla.foo.+001+60114.private");
my $sigrr= create Net::DNS::RR::RRSIG(\@datarrset,
$private);
create is an alternative constructor for a RRSIG RR object.
The first argument is either reference to an array that contains the
RRset that needs to be signed.
The second argument is a string containing the path to a file contain-
ing the the private key as generated with dnssec-keygen, a program that
commes with the bind distribution.
The third argument is an anonymous hash containing the following possi-
ble arguments:
( ttl => 3600, # TTL
sigin => 20010501010101, # signature inception
sigex => 20010501010101, # signature expiration
sigval => 1.5 # signature validity
)
The default for the ttl is 3600 seconds. sigin and sigex need to be
specified in the following format 'yyyymmddhhmmss'. The default for
sigin is the time of signing.
sigval is the validity of the signature in minutes for SIG0s and days
for other signatures (sigex=sigin+sigval). If sigval is specified then
sigex is ignored. The default for sigval is 5 minutes for SIG0s and 30
days other types of signatures.
Notes:
- Do not change the name of the file generated by dnssec-keygen, the
create method uses the filename as generated by dnssec-keygen to
determine the keyowner, algorithm and the keyid (keytag).
- Only RSA signatures (algorithm 1) and DSA signatures (algorithm 3)
have been implemented.
typecovered
print "typecovered =", $rr->typecovered, "\n"
Returns the qtype covered by the sig.
algorithm
print "algorithm =", $rr->algorithm, "\n"
Returns the algorithm number used for the signature
labels
print "labels =", $rr->labels, "\n"
Returns the the number of labels of the RRs over wich the sig was made.
orgttl
print "orgttl =", $rr->orgttl, "\n"
Returns the RRs the original TTL of the signature
sigexpiration
print "sigexpiration =", $rr->sigexpiration, "\n"
Returns the expiration date of the signature
siginception
print "siginception =", $rr->siginception, "\n"
Returns the date the signature was incepted.
keytag
print "keytag =", $rr->keytag, "\n"
Returns the the keytag (key id) of the key the sig was made with. Read
"KeyID Bug in bind." below.
signame
print "signame =", $rr->signame, "\n"
Returns the name of the public KEY RRs this sig was made with.
sig
print "sig =", $rr->sig, "\n"
Returns the base64 representation of the signature.
verify and vrfyerrstr
$sigrr->verify($data, $keyrr) || croak $sigrr->vrfyerrstr;
$sigrr->verify($data, [$keyrr, $keyrr2, $keyrr3]) ||
croak $sigrr->vrfyerrstr;
If $data contains a reference to an array of RR objects then them
method verifies the RRset against the signature contained in the $sigrr
object itself using the public key in $keyrr. Because of the KeyID bug
in bind (see below) a check on keyid is not performed.
If $data contains a reference to a Net::DNS::Packet and if $sig->type
equals zero a a sig0 verification is performed. Note that the signature
needs to be 'popped' from the packet before verifying.
The second argument can either be a Net::DNS::RR::KEYRR object or a
reference to an array of such objects. Verification will return suc-
cessful as soon as one of the keys in the array leads to positive vali-
dation.
Returns 0 on error and sets $sig->vrfyerrstr
Example
my $sigrr=$packet->pop("additional");
print $sigrr->vrfyerrstr unless $sigrr1->verify($update1, $keyrr1);
Remarks
- The code is not optimized for speed whatsoever. It is probably not
suitable to be used for signing large zones.
TODO
- Clean up the code.
- If this code is still around by 2030 you have a few years to check
the proper handling of times...
- Add wildcard handling
ACKNOWLEDGMENTS
Andy Vaskys (Network Associates Laboratories) supplied the code for
handling RSA with SHA1 (Algorithm 5).
Chris Reinardt for maintianing Net::DNS.
T.J. Mather, <tjmather@tjmather.com>, the Crypt::OpenSSL::DSA main-
tainer, for his quick responses to bug report and feature requests.
COPYRIGHT
Copyright (c) 2001 - 2005 RIPE NCC. Author Olaf M. Kolkman
<olaf@net-dns.org>
All Rights Reserved
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, pro-
vided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in sup-
porting documentation, and that the name of the author not be used in
advertising or publicity pertaining to distribution of the software
without specific, written prior permission.
THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO
EVENT SHALL AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
THIS SOFTWARE.
Based on, and contains, code by Copyright (c) 1997 Michael Fuhr.
This code uses Crypt::OpenSSL which uses the openssl library
SEE ALSO
<http://www.net-dns.org/>
perl(1), Net::DNS, Net::DNS::Resolver, Net::DNS::Packet,
Net::DNS::Header, Net::DNS::Question, Net::DNS::RR,Crypt::OpenSSL::RSA,
Crypt::OpenSSL::DSA, Net::DNS::SEC::Private, RFC 4034
perl v5.8.8 2006-02-14 RR::RRSIG(3)
