1RR::SIG(3) User Contributed Perl Documentation RR::SIG(3)
2
3
4
6 Net::DNS::RR::SIG - DNS SIG resource record
7
9 "use Net::DNS::RR;"
10
12 IMPORTANT: For any other use than SIG0 signatures the SIG RR has been
13 deprecated (RFC3755). Use the DNSSIG instead.
14
15 All functionality currently remains present although a warning will be
16 printed at first usage of the verify and create methods.
17
18 Class for DNS Address (SIG) resource records. In addition to the
19 regular methods in the Net::DNS::RR the Class contains a method to sign
20 RRsets using private keys (create). And a class for verifying
21 signatures over RRsets (verify).
22
23 The SIG RR is an implementation of RFC 2931.
24
26 When Net::DNS::RR::SIG.pm is available the Net::DNS::Packet module will
27 have the abilityh for sig0 support. See Net::DNS::Packet for details.
28
29 my $keypathrsa="Ktest.example.+001+11567.private";
30 my $update1 = Net::DNS::Update->new("test.example");
31
32 $update1->push("update", Net::DNS::rr_add("foo.test.example 3600 IN A 10.0.0.1"));
33 $update1->sign_sig0($keypathrsa);
34
36 create
37 create is an alternative constructor for a SIG RR object.
38
39 You are advised to create a packet object and then use the sign_sig0
40 method to create a sig0 signature.
41
42 To create a signature over a packet (SIG0) you can use the following
43 alternative recipe.
44
45 my $keypath=
46 "/home/olaf/keys/Kbla.foo.+001+60114.private";
47
48 $sig0 = Net::DNS::RR::SIG->create('', $keypath);
49 $packet->push('additional', $sig0) if $sig0;
50 $packet->data; # When the data method on a packet is called
51 # the actual sig0 calculation is done.
52
53 The first argument to the create method should be an empty string in
54 order for the SIG0 magic to work.
55
56 The second argument is a string containing the path to a file
57 containing the the private key as generated with dnssec-keygen, a
58 program that commes with the bind distribution.
59
60 The third argument is an anonymous hash containing the following
61 possible arguments:
62
63 ( ttl => 3600, # TTL
64 sigin => 20010501010101, # signature inception
65 sigex => 20010501010101, # signature expiration
66 sigval => 1.5 # signature validity
67 )
68
69 The default for the ttl is 3600 seconds. sigin and sigex need to be
70 specified in the following format 'yyyymmddhhmmss'. The default for
71 sigin is the time of signing.
72
73 sigval is the validity of the signature in minutes. If sigval is
74 specified then sigex is ignored. The default for sigval is 5 minutes.
75
76 Note that for SIG0 signatures the default sigin is calculated at the
77 moment the object is created, not at the moment that the packet is put
78 on the wire.
79
80 Notes:
81
82 - Do not change the name of the file generated by dnssec-keygen, the
83 create method uses the filename as generated by dnssec-keygen to
84 determine
85 the keyowner, algorithm and the keyid (keytag).
86
87 - Only RSA signatures (algorithm 1 and 5) and DSA signatures
88 (algorithm 3) have been implemented.
89
90 typecovered
91 print "typecovered =", $rr->typecovered, "\n"
92
93 Returns the type covered by the sig (should be TYPE000 with common SIG0
94 usage)
95
96 algorithm
97 print "algorithm =", $rr->algorithm, "\n"
98
99 Returns the algorithm number used for the signature
100
101 sigexpiration
102 print "sigexpiration =", $rr->sigexpiration, "\n"
103
104 Returns the expiration date of the signature
105
106 siginception
107 print "siginception =", $rr->siginception, "\n"
108
109 Returns the date the signature was incepted.
110
111 keytag
112 print "keytag =", $rr->keytag, "\n"
113
114 Returns the the keytag (key id) of the key the sig was made with. Read
115 "KeyID Bug in bind." below.
116
117 signame
118 print "signame =", $rr->signame, "\n"
119
120 Returns the name of the public KEY RRs this sig was made with. (Note:
121 the name does not contain a trailing dot.)
122
123 sig
124 print "sig =", $rr->sig, "\n"
125
126 Returns the base64 representation of the signature.
127
128 verify and vrfyerrstr
129 my $sigrr=$update1->pop("additional");
130 $sigrr->verify($packet, $keyrr) || croak $sigrr->vrfyerrstr;
131
132 If the first argument is a Net::DNS::Packet object and if $sig->type
133 equals zero a a sig0 verification is performed. Note that the signature
134 needs to be 'popped' from the packet before verifying.
135
136 Returns 0 on error and sets $sig->vrfyerrstr
137
138 Example
139 my $sigrr=$packet->pop("additional");
140 print $sigrr->vrfyerrstr unless $sigrr1->verify($update1, $keyrr1);
141
143 - The code is not optimized for speed whatsoever. It is probably not
144 suitable to be used for signing large zones.
145
147 - Clean up the code, it still contains some cruft left from the times
148 that
149 the SIG RR was used for signing packets and RR sets.
150
151 - If this code is still around by 2030 you have a few years to check
152 the proper handling of times...
153
155 Andy Vaskys (Network Associates Laboratories) supplied the code for
156 handling RSA with SHA1 (Algorithm 5).
157
158 Chris Reinardt for maintianing Net::DNS.
159
160 T.J. Mather, <tjmather@tjmather.com>, the Crypt::OpenSSL::DSA
161 maintainer, for his quick responses to bug report and feature requests.
162
164 Copyright (c) 2001-2005 RIPE NCC. Author Olaf M. Kolkman
165 <olaf@net-dns.org>
166
167 All Rights Reserved
168
169 Permission to use, copy, modify, and distribute this software and its
170 documentation for any purpose and without fee is hereby granted,
171 provided that the above copyright notice appear in all copies and that
172 both that copyright notice and this permission notice appear in
173 supporting documentation, and that the name of the author not be used
174 in advertising or publicity pertaining to distribution of the software
175 without specific, written prior permission.
176
177 THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
178 INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO
179 EVENT SHALL AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL
180 DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
181 PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
182 ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
183 THIS SOFTWARE.
184
185 Based on, and contains, code by Copyright (c) 1997 Michael Fuhr.
186
187 This code uses Crypt::OpenSSL which uses the openssl library
188
190 http://www.net-dns.org/ <http://www.net-dns.org/>
191
192 perl(1), Net::DNS, Net::DNS::Resolver, Net::DNS::Packet,
193 Net::DNS::Header, Net::DNS::Question,
194 Net::DNS::RR,Crypt::OpenSSL::RSA,Crypt::OpenSSL::DSA, RFC 2931.
195
196
197
198perl v5.12.3 2010-03-12 RR::SIG(3)