Manual Reference Pages - NET::DNS::RR::SIG (3)
Net::DNS::RR::SIG - DNS SIG resource record
$rr = new Net::DNS::RR(name SIG typecovered algorithm labels
orgttl sigexpiration siginception
keytag signame signature);
$sigrr = create Net::DNS::RR::SIG( $string, $keypath,
sigval => 10 # minutes
$sigrr->verify( $string, $keyrr ) || die $sigrr->vrfyerrstr;
$sigrr->verify( $packet, $keyrr ) || die $sigrr->vrfyerrstr;
Class for DNS digital signature (SIG) resource records.
In addition to the regular methods inherited from Net::DNS::RR the
class contains a method to sign packets and scalar data strings
using private keys (create) and a method for verifying signatures.
The SIG RR is an implementation of RFC2931.
See Net::DNS::RR::RRSIG for an implementation of RFC4034.
The available methods are those inherited from the base class augmented
by the type-specific methods defined in this package.
Use of undocumented package features or direct access to internal data
structures is discouraged and could result in program termination or
other unpredictable behaviour.
$algorithm = $rr->algorithm;
The algorithm number field identifies the cryptographic algorithm
used to create the signature.
algorithm() may also be invoked as a class method or simple function
to perform mnemonic and numeric code translation.
sigexpiration and siginception times
sigex sigin sigval
$expiration = $rr->sigexpiration;
$expiration = $rr->sigexpiration( $value );
$inception = $rr->siginception;
$inception = $rr->siginception( $value );
The signature expiration and inception fields specify a validity
time interval for the signature.
The value may be specified by a string with format yyyymmddhhmmss
or a Perl time() value.
Return values are dual-valued, providing either a string value or
numerical Perl time() value.
$keytag = $rr->keytag;
$rr->keytag( $keytag );
The keytag field contains the key tag value of the KEY RR that
validates this signature.
$signame = $rr->signame;
$rr->signame( $signame );
The signer name field value identifies the owner name of the KEY
RR that a validator is supposed to use to validate this signature.
$sig = $rr->sig;
$rr->sig( $sig );
The Signature field contains the cryptographic signature that covers
the SIG RDATA (excluding the Signature field) and the subject data.
$sigbin = $rr->sigbin;
$rr->sigbin( $sigbin );
Binary representation of the cryptographic signature.
Create a signature over scalar data.
$keypath = /home/olaf/keys/Kbla.foo.+001+60114.private;
$sigrr = create Net::DNS::RR::SIG( $data, $keypath );
$sigrr = create Net::DNS::RR::SIG( $data, $keypath,
sigval => 10
# Alternatively use Net::DNS::SEC::Private
$private = Net::DNS::SEC::Private->new($keypath);
$sigrr= create Net::DNS::RR::SIG( $data, $private );
create() is an alternative constructor for a SIG RR object.
This method returns a SIG with the signature over the data made with
the private key stored in the key file.
The first argument is a scalar that contains the data to be signed.
The second argument is a string which specifies the path to a file
containing the private key as generated with dnssec-keygen, a program
that comes with the ISC BIND distribution.
The optional remaining arguments consist of ( name => value ) pairs
sigin => 20161201010101, # signature inception
sigex => 20161201011101, # signature expiration
sigval => 10, # validity window (minutes)
The sigin and sigex values may be specified as Perl time values or as
a string with the format yyyymmddhhmmss. The default for sigin is
the time of signing.
The sigval argument specifies the signature validity window in minutes
( sigex = sigin + sigval ).
By default the signature is valid for 10 minutes.
Do not change the name of the file generated by dnssec-keygen, the
create method uses the filename as generated by dnssec-keygen to
determine the keyowner, algorithm and the keyid (keytag).
$verify = $sigrr->verify( $data, $keyrr );
$verify = $sigrr->verify( $data, [$keyrr, $keyrr2, $keyrr3] );
The verify() method performs SIG0 verification of the specified data
against the signature contained in the $sigrr object itself using
the public key in $keyrr.
If a reference to a Net::DNS::Packet is supplied, the method performs
a SIG0 verification on the packet data.
The second argument can either be a Net::DNS::RR::KEYRR object or a
reference to an array of such objects. Verification will return
successful as soon as one of the keys in the array leads to positive
Returns false on error and sets $sig->vrfyerrstr
$sig0 = $packet->sigrr || die not signed;
print $sig0->vrfyerrstr unless $sig0->verify( $packet, $keyrr );
$sigrr->verify( $packet, $keyrr ) || die $sigrr->vrfyerrstr;
The code is not optimised for speed.
If this code is still around in 2100 (not a leap year) you will
need to check for proper handling of times ...
Andy Vaskys (Network Associates Laboratories) supplied the code for
handling RSA with SHA1 (Algorithm 5).
T.J. Mather, the Crypt::OpenSSL::DSA maintainer, for his quick
responses to bug report and feature requests.
Copyright (c)2001-2005 RIPE NCC, Olaf M. Kolkman
Copyright (c)2007-2008 NLnet Labs, Olaf M. Kolkman
Portions Copyright (c)2014 Dick Franks
All rights reserved.
Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation, and that the name of the author not be used in advertising
or publicity pertaining to distribution of the software without specific
prior written permission.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.
perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC,
RFC4034, RFC3755, RFC2535, RFC2931, RFC3110, RFC3008,
Algorithm Numbers <http://www.iana.org/assignments/dns-sec-alg-numbers>
BIND 9 Administrator Reference Manual <http://www.bind9.net/manuals>
|perl v5.20.3 ||NET::DNS::RR::SIG (3) ||2016-03-07 |
Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.