Net::DNS::RR::TSIG (3)

Leading comments

Automatically generated by Pod::Man 4.09 (Pod::Simple 3.35)

Standard preamble:
========================================================================

(The comments found at the beginning of the groff file "man3/Net::DNS::RR::TSIG.3pm".)

NAME

Net::DNS::RR::TSIG - DNS TSIG resource record

SYNOPSIS

    use Net::DNS;
    $tsig = create Net::DNS::RR::TSIG( $keyfile,
                                        fudge => 300
                                        );

    $tsig = create Net::DNS::RR::TSIG( $keyname, $key );

DESCRIPTION

Class for Transaction Signature () resource records.

METHODS

The available methods are those inherited from the base class augmented by the type-specific methods defined in this package.

Use of undocumented package features or direct access to internal data structures is discouraged and could result in program termination or other unpredictable behaviour.

algorithm

    $algorithm = $rr->algorithm;
    $rr->algorithm( $algorithm );

A domain name which specifies the name of the algorithm.

key

    $rr->key( $key );

Base64 representation of the key material.

keybin

    $rr->keybin( $keybin );

Binary representation of the key material.

time_signed

    $time_signed = $rr->time_signed;
    $rr->time_signed( $time_signed );

Signing time as the number of seconds since 1 Jan 1970 00:00:00

The default signing time is the current time.

fudge

    $fudge = $rr->fudge;
    $rr->fudge( $fudge );

``fudge'' represents the permitted error in the signing time. The default fudge is 300 seconds.

mac

    $mac = $rr->mac;

Returns the message authentication code (

) as a string of hex characters. The programmer must call the Net::DNS::Packet data() object method before this will return anything meaningful.

macbin

    $macbin = $rr->macbin;
    $rr->macbin( $macbin );

Binary message authentication code (

).

prior_mac

    $prior_mac = $rr->prior_mac;
    $rr->prior_mac( $prior_mac );

Prior message authentication code (

).

prior_macbin

    $prior_macbin = $rr->prior_macbin;
    $rr->prior_macbin( $prior_macbin );

Binary prior message authentication code.

request_mac

    $request_mac = $rr->request_mac;
    $rr->request_mac( $request_mac );

Request message authentication code (

).

request_macbin

    $request_macbin = $rr->request_macbin;
    $rr->request_macbin( $request_macbin );

Binary request message authentication code.

original_id

    $original_id = $rr->original_id;
    $rr->original_id( $original_id );

The message

from the header of the original packet.

error

     $rcode = $tsig->error;

Returns the

covering processing. Common values are and See for details.

other

    $other = $rr->other;
    $rr->other( $other );

This field should be empty unless the error is

in which case it will contain the server time as the number of seconds since 1 Jan 1970 00:00:00

sig_function

    sub signing_function {
        my ( $keybin, $data ) = @_;

        my $hmac = new Digest::HMAC( $keybin, 'Digest::MD5' );
        $hmac->add( $data );
        return $hmac->digest;
    }

    $tsig->sig_function( \&signing_function );

This sets the signing function to be used for this

record. The default signing function is

sig_data

     $sigdata = $tsig->sig_data($packet);

Returns the packet packed according to

in a form for signing. This is only needed if you want to supply an external signing function, such as is needed for TSIG-GSS.

create

    $tsig = create Net::DNS::RR::TSIG( $keyfile );

    $tsig = create Net::DNS::RR::TSIG( $keyfile,
                                        fudge => 300
                                        );

    $tsig = create Net::DNS::RR::TSIG( $keyname, $key );

Returns a

constructed using the parameters in the specified key file, which is assumed to have been generated by dnssec-keygen.

The two argument form is supported for backward compatibility.

verify

    $verify = $tsig->verify( $data );
    $verify = $tsig->verify( $packet );

    $verify = $tsig->verify( $reply,  $query );

    $verify = $tsig->verify( $packet, $prior );

The boolean verify method will return true if the hash over the packet data conforms to the data in the

itself

TSIG Keys

keys are symmetric keys generated using dnssec-keygen:

        $ dnssec-keygen -a HMAC-SHA1 -b 160 -n HOST <keyname>

        The key will be stored as a private and public keyfile pair
        K<keyname>+161+<keyid>.private and K<keyname>+161+<keyid>.key

    where
        <keyname> is the DNS name of the key.

        <keyid> is the (generated) numerical identifier used to
        distinguish this key.

Other algorithms may be substituted for

in the above example.

It is recommended that the keyname be globally unique and incorporate the fully qualified domain names of the resolver and nameserver in that order. It should be possible for more than one key to be in use simultaneously between any such pair of hosts.

Although the formats differ, the private and public keys are identical and both should be stored and handled as secret data.

Configuring BIND Nameserver

The following lines must be added to the /etc/named.conf file:

    key <keyname> {
        algorithm HMAC-SHA1;
        secret "<keydata>";
    };

<keyname> is the name of the key chosen when the key was generated.

<keydata> is the key string extracted from the generated key file.

ACKNOWLEDGMENT

Most of the code in the Net::DNS::RR::TSIG module was contributed by Chris Turbeville.

Support for external signing functions was added by Andrew Tridgell.

verification, keyfile handling and support for and functions was added by Dick Franks.

BUGS

A 32-bit representation of time is used, contrary to which demands 48 bits. This design decision will need to be reviewed before the code stops working on 7 February 2106.

COPYRIGHT

Copyright (c)2002 Michael Fuhr.

Portions Copyright (c)2002-2004 Chris Reinhardt.

Portions Copyright (c)2013 Dick Franks.

All rights reserved.

This program is free software; you may redistribute it and/or modify it under the same terms as Perl itself.

Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.

SEE ALSO

perl, Net::DNS, Net::DNS::RR,