{ "content": [ { "type": "text", "text": "# Net::DNS::RR::RRSIG (perldoc)\n\n## NAME\n\nNet::DNS::RR::RRSIG - DNS RRSIG resource record\n\n## SYNOPSIS\n\nuse Net::DNS;\n$rr = Net::DNS::RR->new('name RRSIG typecovered algorithm labels\norgttl sigexpiration siginception\nkeytag signame signature');\nuse Net::DNS::SEC;\n$sigrr = Net::DNS::RR::RRSIG->create( \\@rrset, $keypath,\nsigex => 20211231010101\nsigin => 20211201010101\n);\n$sigrr->verify( \\@rrset, $keyrr ) || die $sigrr->vrfyerrstr;\n\n## DESCRIPTION\n\nClass for DNS digital signature (RRSIG) resource records.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **METHODS** (2 subsections)\n- **KEY GENERATION**\n- **REMARKS**\n- **ACKNOWLEDGMENTS**\n- **COPYRIGHT**\n- **LICENSE**\n- **SEE ALSO**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "Net::DNS::RR::RRSIG", "section": "", "mode": "perldoc", "summary": "Net::DNS::RR::RRSIG - DNS RRSIG resource record", "synopsis": "use Net::DNS;\n$rr = Net::DNS::RR->new('name RRSIG typecovered algorithm labels\norgttl sigexpiration siginception\nkeytag signame signature');\nuse Net::DNS::SEC;\n$sigrr = Net::DNS::RR::RRSIG->create( \\@rrset, $keypath,\nsigex => 20211231010101\nsigin => 20211201010101\n);\n$sigrr->verify( \\@rrset, $keyrr ) || die $sigrr->vrfyerrstr;", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 13, "subsections": [] }, { "name": "DESCRIPTION", "lines": 9, "subsections": [] }, { "name": "METHODS", "lines": 16, "subsections": [ { "name": "algorithm", "lines": 80 }, { "name": "create", "lines": 43 } ] }, { "name": "KEY GENERATION", "lines": 12, "subsections": [] }, { "name": "REMARKS", "lines": 6, "subsections": [] }, { "name": "ACKNOWLEDGMENTS", "lines": 13, "subsections": [] }, { "name": "COPYRIGHT", "lines": 10, "subsections": [] }, { "name": "LICENSE", "lines": 12, "subsections": [] }, { "name": "SEE ALSO", "lines": 6, "subsections": [] } ], "sections": { "NAME": { "content": "Net::DNS::RR::RRSIG - DNS RRSIG resource record\n", "subsections": [] }, "SYNOPSIS": { "content": "use Net::DNS;\n$rr = Net::DNS::RR->new('name RRSIG typecovered algorithm labels\norgttl sigexpiration siginception\nkeytag signame signature');\n\nuse Net::DNS::SEC;\n$sigrr = Net::DNS::RR::RRSIG->create( \\@rrset, $keypath,\nsigex => 20211231010101\nsigin => 20211201010101\n);\n\n$sigrr->verify( \\@rrset, $keyrr ) || die $sigrr->vrfyerrstr;\n", "subsections": [] }, "DESCRIPTION": { "content": "Class for DNS digital signature (RRSIG) resource records.\n\nIn addition to the regular methods inherited from Net::DNS::RR the class contains a method to\nsign RRsets using private keys (create) and a method for verifying signatures over RRsets\n(verify).\n\nThe RRSIG RR is an implementation of RFC4034. See Net::DNS::RR::SIG for an implementation of\nSIG0 (RFC2931).\n", "subsections": [] }, "METHODS": { "content": "The available methods are those inherited from the base class augmented by the type-specific\nmethods defined in this package.\n\nUse of undocumented package features or direct access to internal data structures is discouraged\nand could result in program termination or other unpredictable behaviour.\n\ntypecovered\n$typecovered = $rr->typecovered;\n\nThe typecovered field identifies the type of the RRset that is covered by this RRSIG record.\n\nalgorithm\n$algorithm = $rr->algorithm;\n\nThe algorithm number field identifies the cryptographic algorithm used to create the signature.\n", "subsections": [ { "name": "algorithm", "content": "numeric code translation.\n\nlabels\n$labels = $rr->labels;\n$rr->labels( $labels );\n\nThe labels field specifies the number of labels in the original RRSIG RR owner name.\n\norgttl\n$orgttl = $rr->orgttl;\n$rr->orgttl( $orgttl );\n\nThe original TTL field specifies the TTL of the covered RRset as it appears in the authoritative\nzone.\n\nsigexpiration and siginception times\nsigex sigin sigval\n$expiration = $rr->sigexpiration;\n$expiration = $rr->sigexpiration( $value );\n\n$inception = $rr->siginception;\n$inception = $rr->siginception( $value );\n\nThe signature expiration and inception fields specify a validity time interval for the\nsignature.\n\nThe value may be specified by a string with format 'yyyymmddhhmmss' or a Perl time() value.\n\nReturn values are dual-valued, providing either a string value or numerical Perl time() value.\n\nkeytag\n$keytag = $rr->keytag;\n$rr->keytag( $keytag );\n\nThe keytag field contains the key tag value of the DNSKEY RR that validates this signature.\n\nsigname\n$signame = $rr->signame;\n$rr->signame( $signame );\n\nThe signer name field value identifies the owner name of the DNSKEY RR that a validator is\nsupposed to use to validate this signature.\n\nsignature\nsig\n$sig = $rr->sig;\n$rr->sig( $sig );\n\nThe Signature field contains the cryptographic signature that covers the RRSIG RDATA (excluding\nthe Signature field) and the RRset specified by the RRSIG owner name, RRSIG class, and RRSIG\ntype covered fields.\n\nsigbin\n$sigbin = $rr->sigbin;\n$rr->sigbin( $sigbin );\n\nBinary representation of the cryptographic signature.\n\ncreate\nCreate a signature over a RR set.\n\nuse Net::DNS::SEC;\n\n$keypath = '/home/olaf/keys/Kbla.foo.+001+60114.private';\n\n$sigrr = Net::DNS::RR::RRSIG->create( \\@rrsetref, $keypath );\n\n$sigrr = Net::DNS::RR::RRSIG->create( \\@rrsetref, $keypath,\nsigex => 20211231010101\nsigin => 20211201010101\n);\n$sigrr->print;\n\n\n# Alternatively use Net::DNS::SEC::Private\n\n$private = Net::DNS::SEC::Private->new($keypath);\n\n$sigrr= Net::DNS::RR::RRSIG->create( \\@rrsetref, $private );\n" }, { "name": "create", "content": "This method returns an RRSIG with the signature over the subject rrset (an array of RRs) made\nwith the private key stored in the key file.\n\nThe first argument is a reference to an array that contains the RRset that needs to be signed.\n\nThe second argument is a string which specifies the path to a file containing the private key as\ngenerated by dnssec-keygen.\n\nThe optional remaining arguments consist of ( name => value ) pairs as follows:\n\nsigex => 20211231010101, # signature expiration\nsigin => 20211201010101, # signature inception\nsigval => 30, # validity window (days)\nttl => 3600 # TTL\n\nThe sigin and sigex values may be specified as Perl time values or as a string with the format\n'yyyymmddhhmmss'. The default for sigin is the time of signing.\n\nThe sigval argument specifies the signature validity window in days ( sigex = sigin + sigval ).\n\nBy default the signature is valid for 30 days.\n\nBy default the TTL matches the RRset that is presented for signing.\n\nverify\n$verify = $sigrr->verify( $rrsetref, $keyrr );\n$verify = $sigrr->verify( $rrsetref, [$keyrr, $keyrr2, $keyrr3] );\n\n$rrsetref contains a reference to an array of RR objects and the method verifies the RRset\nagainst the signature contained in the $sigrr object itself using the public key in $keyrr.\n\nThe second argument can either be a Net::DNS::RR::KEYRR object or a reference to an array of\nsuch objects. Verification will return successful as soon as one of the keys in the array leads\nto positive validation.\n\nReturns 0 on error and sets $sig->vrfyerrstr\n\nvrfyerrstr\n$verify = $sigrr->verify( $rrsetref, $keyrr );\nprint $sigrr->vrfyerrstr unless $verify;\n\n$sigrr->verify( $rrsetref, $keyrr ) || die $sigrr->vrfyerrstr;\n" } ] }, "KEY GENERATION": { "content": "Private key files and corresponding public DNSKEY records are most conveniently generated using\ndnssec-keygen, a program that comes with the ISC BIND distribution.\n\ndnssec-keygen -a 10 -b 2048 -f ksk rsa.example.\ndnssec-keygen -a 10 -b 1024 rsa.example.\n\ndnssec-keygen -a 14 -f ksk ecdsa.example.\ndnssec-keygen -a 14 ecdsa.example.\n\nDo not change the name of the private key file. The create method uses the filename as generated\nby dnssec-keygen to determine the keyowner, algorithm, and the keyid (keytag).\n", "subsections": [] }, "REMARKS": { "content": "The code is not optimised for speed. It is probably not suitable to be used for signing large\nzones.\n\nIf this code is still around in 2100 (not a leap year) you will need to check for proper\nhandling of times after 28th February.\n", "subsections": [] }, "ACKNOWLEDGMENTS": { "content": "Although their original code may have disappeared following redesign of Net::DNS, Net::DNS::SEC\nand the OpenSSL API, the following individual contributors deserve to be recognised for their\nsignificant influence on the development of the RRSIG package.\n\nAndy Vaskys (Network Associates Laboratories) supplied code for RSA.\n\nT.J. Mather provided support for the DSA algorithm.\n\nDick Franks added support for elliptic curve and Edwards curve algorithms.\n\nMike McCauley created the Crypt::OpenSSL::ECDSA perl extension module specifically for this\ndevelopment.\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright (c)2001-2005 RIPE NCC, Olaf M. Kolkman\n\nCopyright (c)2007-2008 NLnet Labs, Olaf M. Kolkman\n\nPortions Copyright (c)2014 Dick Franks\n\nAll rights reserved.\n\nPackage template (c)2009,2012 O.M.Kolkman and R.W.Franks.\n", "subsections": [] }, "LICENSE": { "content": "Permission to use, copy, modify, and distribute this software and its documentation for any\npurpose and without fee is hereby granted, provided that the original copyright notices appear\nin all copies and that both copyright notice and this permission notice appear in supporting\ndocumentation, and that the name of the author not be used in advertising or publicity\npertaining to distribution of the software without specific prior written permission.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING\nBUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND\nNONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,\nDAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n", "subsections": [] }, "SEE ALSO": { "content": "perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC, RFC4034\n\nAlgorithm Numbers \n\nBIND Administrator Reference Manual \n", "subsections": [] } } } }