1Net::DNS::RR::SIG(3) User Contributed Perl Documentation Net::DNS::RR::SIG(3)
2
6 Net::DNS::RR::SIG - DNS SIG resource record
7
9 use Net::DNS;
10 $rr = Net::DNS::RR->new('name SIG typecovered algorithm labels
11 orgttl sigexpiration siginception
12 keytag signame signature');
13 use Net::DNS::SEC;
15 $sigrr = Net::DNS::RR::SIG->create( $string, $keypath,
16 sigval => 10 # minutes
17 );
18 $sigrr->verify( $string, $keyrr ) || die $sigrr->vrfyerrstr;
20 $sigrr->verify( $packet, $keyrr ) || die $sigrr->vrfyerrstr;
21
23 Class for DNS digital signature (SIG) resource records.
24 In addition to the regular methods inherited from Net::DNS::RR the
26 class contains a method to sign packets and scalar data strings using
27 private keys (create) and a method for verifying signatures.
28 The SIG RR is an implementation of RFC2931. See Net::DNS::RR::RRSIG
30 for an implementation of RFC4034.
31
33 The available methods are those inherited from the base class augmented
34 by the type-specific methods defined in this package.
35 Use of undocumented package features or direct access to internal data
37 structures is discouraged and could result in program termination or
38 other unpredictable behaviour.
39 algorithm
41 $algorithm = $rr->algorithm;
42 The algorithm number field identifies the cryptographic algorithm used
44 to create the signature.
45 algorithm() may also be invoked as a class method or simple function to
47 perform mnemonic and numeric code translation.
48 sigexpiration and siginception times
50 sigex sigin sigval
51 $expiration = $rr->sigexpiration;
52 $expiration = $rr->sigexpiration( $value );
53 $inception = $rr->siginception;
55 $inception = $rr->siginception( $value );
56 The signature expiration and inception fields specify a validity time
58 interval for the signature.
59 The value may be specified by a string with format 'yyyymmddhhmmss' or
61 a Perl time() value.
62 Return values are dual-valued, providing either a string value or
64 numerical Perl time() value.
65 keytag
67 $keytag = $rr->keytag;
68 $rr->keytag( $keytag );
69 The keytag field contains the key tag value of the KEY RR that
71 validates this signature.
72 signame
74 $signame = $rr->signame;
75 $rr->signame( $signame );
76 The signer name field value identifies the owner name of the KEY RR
78 that a validator is supposed to use to validate this signature.
79 signature
81 sig
82 $sig = $rr->sig;
83 $rr->sig( $sig );
84 The Signature field contains the cryptographic signature that covers
86 the SIG RDATA (excluding the Signature field) and the subject data.
87 sigbin
89 $sigbin = $rr->sigbin;
90 $rr->sigbin( $sigbin );
91 Binary representation of the cryptographic signature.
93 create
95 Create a signature over scalar data.
96 use Net::DNS::SEC;
98 $keypath = '/home/olaf/keys/Kbla.foo.+001+60114.private';
100 $sigrr = Net::DNS::RR::SIG->create( $data, $keypath );
102 $sigrr = Net::DNS::RR::SIG->create( $data, $keypath,
104 sigval => 10
105 );
106 $sigrr->print;
107 # Alternatively use Net::DNS::SEC::Private
110 $private = Net::DNS::SEC::Private->new($keypath);
112 $sigrr= Net::DNS::RR::SIG->create( $data, $private );
114 create() is an alternative constructor for a SIG RR object.
116 This method returns a SIG with the signature over the data made with
118 the private key stored in the key file.
119 The first argument is a scalar that contains the data to be signed.
121 The second argument is a string which specifies the path to a file
123 containing the private key as generated using dnssec-keygen, a program
124 that comes with the ISC BIND distribution.
125 The optional remaining arguments consist of ( name => value ) pairs as
127 follows:
128 sigin => 20211201010101, # signature inception
130 sigex => 20211201011101, # signature expiration
131 sigval => 10, # validity window (minutes)
132 The sigin and sigex values may be specified as Perl time values or as a
134 string with the format 'yyyymmddhhmmss'. The default for sigin is the
135 time of signing.
136 The sigval argument specifies the signature validity window in minutes
138 ( sigex = sigin + sigval ).
139 By default the signature is valid for 10 minutes.
141 • Do not change the name of the private key file. The create method
143 uses the filename as generated by dnssec-keygen to determine the
144 keyowner, algorithm, and the keyid (keytag).
145 verify
147 $verify = $sigrr->verify( $data, $keyrr );
148 $verify = $sigrr->verify( $data, [$keyrr, $keyrr2, $keyrr3] );
149 The verify() method performs SIG0 verification of the specified data
151 against the signature contained in the $sigrr object itself using the
152 public key in $keyrr.
153 If a reference to a Net::DNS::Packet is supplied, the method performs a
155 SIG0 verification on the packet data.
156 The second argument can either be a Net::DNS::RR::KEYRR object or a
158 reference to an array of such objects. Verification will return
159 successful as soon as one of the keys in the array leads to positive
160 validation.
161 Returns false on error and sets $sig->vrfyerrstr
163 vrfyerrstr
165 $sig0 = $packet->sigrr || die 'not signed';
166 print $sig0->vrfyerrstr unless $sig0->verify( $packet, $keyrr );
167 $sigrr->verify( $packet, $keyrr ) || die $sigrr->vrfyerrstr;
169
171 The code is not optimised for speed.
172 If this code is still around in 2100 (not a leap year) you will need to
174 check for proper handling of times after 28th February.
175
177 Although their original code may have disappeared following redesign of
178 Net::DNS, Net::DNS::SEC and the OpenSSL API, the following individual
179 contributors deserve to be recognised for their significant influence
180 on the development of the SIG package.
181 Andy Vaskys (Network Associates Laboratories) supplied code for RSA.
183 T.J. Mather provided support for the DSA algorithm.
185
187 Copyright (c)2001-2005 RIPE NCC, Olaf M. Kolkman
188 Copyright (c)2007-2008 NLnet Labs, Olaf M. Kolkman
190 Portions Copyright (c)2014 Dick Franks
192 All rights reserved.
194 Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.
196
198 Permission to use, copy, modify, and distribute this software and its
199 documentation for any purpose and without fee is hereby granted,
200 provided that the original copyright notices appear in all copies and
201 that both copyright notice and this permission notice appear in
202 supporting documentation, and that the name of the author not be used
203 in advertising or publicity pertaining to distribution of the software
204 without specific prior written permission.
205 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
207 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
208 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
209 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
210 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
211 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
212 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
213
215 perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC, RFC2536, RFC2931, RFC3110,
216 RFC4034
217 Algorithm Numbers <http://www.iana.org/assignments/dns-sec-alg-numbers>
219 BIND Administrator Reference Manual <http://bind.isc.org/>
221perl v5.34.1 2022-06-08 Net::DNS::RR::SIG(3)