| Current Path : /proc/2/root/usr/local/share/man/man3/ |
| Current File : //proc/2/root/usr/local/share/man/man3/Net::DNS::RR::RRSIG.3pm |
.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.13)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
.el \{\
. de IX
..
.\}
.\" ========================================================================
.\"
.IX Title "Net::DNS::RR::RRSIG 3"
.TH Net::DNS::RR::RRSIG 3 "2019-03-22" "perl v5.10.1" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Net::DNS::RR::RRSIG \- DNS RRSIG resource record
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 4
\& use Net::DNS;
\& $rr = new Net::DNS::RR(\*(Aqname RRSIG typecovered algorithm labels
\& orgttl sigexpiration siginception
\& keytag signame signature\*(Aq);
\&
\& use Net::DNS::SEC;
\& $sigrr = create Net::DNS::RR::RRSIG( \e@rrset, $keypath,
\& sigex => 20191231010101
\& sigin => 20191201010101
\& );
\&
\& $sigrr\->verify( \e@rrset, $keyrr ) || die $sigrr\->vrfyerrstr;
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
Class for \s-1DNS\s0 digital signature (\s-1RRSIG\s0) resource records.
.PP
In addition to the regular methods inherited from Net::DNS::RR the
class contains a method to sign RRsets using private keys (create)
and a method for verifying signatures over RRsets (verify).
.PP
The \s-1RRSIG\s0 \s-1RR\s0 is an implementation of \s-1RFC4034\s0.
See Net::DNS::RR::SIG for an implementation of \s-1SIG0\s0 (\s-1RFC2931\s0).
.SH "METHODS"
.IX Header "METHODS"
The available methods are those inherited from the base class augmented
by the type-specific methods defined in this package.
.PP
Use of undocumented package features or direct access to internal data
structures is discouraged and could result in program termination or
other unpredictable behaviour.
.SS "typecovered"
.IX Subsection "typecovered"
.Vb 1
\& $typecovered = $rr\->typecovered;
.Ve
.PP
The typecovered field identifies the type of the RRset that is
covered by this \s-1RRSIG\s0 record.
.SS "algorithm"
.IX Subsection "algorithm"
.Vb 1
\& $algorithm = $rr\->algorithm;
.Ve
.PP
The algorithm number field identifies the cryptographic algorithm
used to create the signature.
.PP
\&\fIalgorithm()\fR may also be invoked as a class method or simple function
to perform mnemonic and numeric code translation.
.SS "labels"
.IX Subsection "labels"
.Vb 2
\& $labels = $rr\->labels;
\& $rr\->labels( $labels );
.Ve
.PP
The labels field specifies the number of labels in the original \s-1RRSIG\s0
\&\s-1RR\s0 owner name.
.SS "orgttl"
.IX Subsection "orgttl"
.Vb 2
\& $orgttl = $rr\->orgttl;
\& $rr\->orgttl( $orgttl );
.Ve
.PP
The original \s-1TTL\s0 field specifies the \s-1TTL\s0 of the covered RRset as it
appears in the authoritative zone.
.SS "sigexpiration and siginception times"
.IX Subsection "sigexpiration and siginception times"
.SS "sigex sigin sigval"
.IX Subsection "sigex sigin sigval"
.Vb 2
\& $expiration = $rr\->sigexpiration;
\& $expiration = $rr\->sigexpiration( $value );
\&
\& $inception = $rr\->siginception;
\& $inception = $rr\->siginception( $value );
.Ve
.PP
The signature expiration and inception fields specify a validity
time interval for the signature.
.PP
The value may be specified by a string with format 'yyyymmddhhmmss'
or a Perl \fItime()\fR value.
.PP
Return values are dual-valued, providing either a string value or
numerical Perl \fItime()\fR value.
.SS "keytag"
.IX Subsection "keytag"
.Vb 2
\& $keytag = $rr\->keytag;
\& $rr\->keytag( $keytag );
.Ve
.PP
The keytag field contains the key tag value of the \s-1DNSKEY\s0 \s-1RR\s0 that
validates this signature.
.SS "signame"
.IX Subsection "signame"
.Vb 2
\& $signame = $rr\->signame;
\& $rr\->signame( $signame );
.Ve
.PP
The signer name field value identifies the owner name of the \s-1DNSKEY\s0
\&\s-1RR\s0 that a validator is supposed to use to validate this signature.
.SS "signature"
.IX Subsection "signature"
.SS "sig"
.IX Subsection "sig"
.Vb 2
\& $sig = $rr\->sig;
\& $rr\->sig( $sig );
.Ve
.PP
The Signature field contains the cryptographic signature that covers
the \s-1RRSIG\s0 \s-1RDATA\s0 (excluding the Signature field) and the RRset
specified by the \s-1RRSIG\s0 owner name, \s-1RRSIG\s0 class, and \s-1RRSIG\s0 type
covered fields.
.SS "sigbin"
.IX Subsection "sigbin"
.Vb 2
\& $sigbin = $rr\->sigbin;
\& $rr\->sigbin( $sigbin );
.Ve
.PP
Binary representation of the cryptographic signature.
.SS "create"
.IX Subsection "create"
Create a signature over a \s-1RR\s0 set.
.PP
.Vb 1
\& use Net::DNS::SEC;
\&
\& $keypath = \*(Aq/home/olaf/keys/Kbla.foo.+001+60114.private\*(Aq;
\&
\& $sigrr = create Net::DNS::RR::RRSIG( \e@rrsetref, $keypath );
\&
\& $sigrr = create Net::DNS::RR::RRSIG( \e@rrsetref, $keypath,
\& sigex => 20191231010101
\& sigin => 20191201010101
\& );
\& $sigrr\->print;
\&
\&
\& # Alternatively use Net::DNS::SEC::Private
\&
\& $private = Net::DNS::SEC::Private\->new($keypath);
\&
\& $sigrr= create Net::DNS::RR::RRSIG( \e@rrsetref, $private );
.Ve
.PP
\&\fIcreate()\fR is an alternative constructor for a \s-1RRSIG\s0 \s-1RR\s0 object.
.PP
This method returns an \s-1RRSIG\s0 with the signature over the subject rrset
(an array of RRs) made with the private key stored in the key file.
.PP
The first argument is a reference to an array that contains the RRset
that needs to be signed.
.PP
The second argument is a string which specifies the path to a file
containing the private key as generated by dnssec-keygen.
.PP
The optional remaining arguments consist of ( name => value ) pairs
as follows:
.PP
.Vb 4
\& sigex => 20191231010101, # signature expiration
\& sigin => 20191201010101, # signature inception
\& sigval => 30, # validity window (days)
\& ttl => 3600 # TTL
.Ve
.PP
The sigin and sigex values may be specified as Perl time values or as
a string with the format 'yyyymmddhhmmss'. The default for sigin is
the time of signing.
.PP
The sigval argument specifies the signature validity window in days
( sigex = sigin + sigval ).
.PP
By default the signature is valid for 30 days.
.PP
By default the \s-1TTL\s0 matches the RRset that is presented for signing.
.SS "verify"
.IX Subsection "verify"
.Vb 2
\& $verify = $sigrr\->verify( $rrsetref, $keyrr );
\& $verify = $sigrr\->verify( $rrsetref, [$keyrr, $keyrr2, $keyrr3] );
.Ve
.PP
\&\f(CW$rrsetref\fR contains a reference to an array of \s-1RR\s0 objects and the
method verifies the RRset against the signature contained in the
\&\f(CW$sigrr\fR object itself using the public key in \f(CW$keyrr\fR.
.PP
The second argument can either be a Net::DNS::RR::KEYRR object or a
reference to an array of such objects. Verification will return
successful as soon as one of the keys in the array leads to positive
validation.
.PP
Returns 0 on error and sets \f(CW$sig\fR\->vrfyerrstr
.SS "vrfyerrstr"
.IX Subsection "vrfyerrstr"
.Vb 2
\& $verify = $sigrr\->verify( $rrsetref, $keyrr );
\& print $sigrr\->vrfyerrstr unless $verify;
\&
\& $sigrr\->verify( $rrsetref, $keyrr ) || die $sigrr\->vrfyerrstr;
.Ve
.SH "KEY GENERATION"
.IX Header "KEY GENERATION"
Private key files and corresponding public \s-1DNSKEY\s0 records
are most conveniently generated using dnssec-keygen,
a program that comes with the \s-1ISC\s0 \s-1BIND\s0 distribution.
.PP
.Vb 2
\& dnssec\-keygen \-a 10 \-b 2048 \-f ksk rsa.example.
\& dnssec\-keygen \-a 10 \-b 1024 rsa.example.
\&
\& dnssec\-keygen \-a 14 \-f ksk ecdsa.example.
\& dnssec\-keygen \-a 14 ecdsa.example.
.Ve
.PP
Do not change the name of the private key file.
The create method uses the filename as generated by dnssec-keygen
to determine the keyowner, algorithm, and the keyid (keytag).
.SH "REMARKS"
.IX Header "REMARKS"
The code is not optimised for speed.
It is probably not suitable to be used for signing large zones.
.PP
If this code is still around in 2100 (not a leap year) you will
need to check for proper handling of times after 28th February.
.SH "ACKNOWLEDGMENTS"
.IX Header "ACKNOWLEDGMENTS"
Although their original code may have disappeared following redesign of
Net::DNS, Net::DNS::SEC and the OpenSSL \s-1API\s0, the following individual
contributors deserve to be recognised for their significant influence
on the development of the \s-1RRSIG\s0 package.
.PP
Andy Vaskys (Network Associates Laboratories) supplied code for \s-1RSA\s0.
.PP
T.J. Mather provided support for the \s-1DSA\s0 algorithm.
.PP
Dick Franks added support for elliptic curve and Edwards curve algorithms.
.PP
Mike McCauley created the Crypt::OpenSSL::ECDSA perl extension module
specifically for this development.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (c)2001\-2005 \s-1RIPE\s0 \s-1NCC\s0, Olaf M. Kolkman
.PP
Copyright (c)2007\-2008 NLnet Labs, Olaf M. Kolkman
.PP
Portions Copyright (c)2014 Dick Franks
.PP
All rights reserved.
.PP
Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.
.SH "LICENSE"
.IX Header "LICENSE"
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that
copyright notice and this permission notice appear in supporting
documentation, and that the name of the author not be used in advertising
or publicity pertaining to distribution of the software without specific
prior written permission.
.PP
\&\s-1THE\s0 \s-1SOFTWARE\s0 \s-1IS\s0 \s-1PROVIDED\s0 \*(L"\s-1AS\s0 \s-1IS\s0\*(R", \s-1WITHOUT\s0 \s-1WARRANTY\s0 \s-1OF\s0 \s-1ANY\s0 \s-1KIND\s0, \s-1EXPRESS\s0 \s-1OR\s0
\&\s-1IMPLIED\s0, \s-1INCLUDING\s0 \s-1BUT\s0 \s-1NOT\s0 \s-1LIMITED\s0 \s-1TO\s0 \s-1THE\s0 \s-1WARRANTIES\s0 \s-1OF\s0 \s-1MERCHANTABILITY\s0,
\&\s-1FITNESS\s0 \s-1FOR\s0 A \s-1PARTICULAR\s0 \s-1PURPOSE\s0 \s-1AND\s0 \s-1NONINFRINGEMENT\s0. \s-1IN\s0 \s-1NO\s0 \s-1EVENT\s0 \s-1SHALL\s0
\&\s-1THE\s0 \s-1AUTHORS\s0 \s-1OR\s0 \s-1COPYRIGHT\s0 \s-1HOLDERS\s0 \s-1BE\s0 \s-1LIABLE\s0 \s-1FOR\s0 \s-1ANY\s0 \s-1CLAIM\s0, \s-1DAMAGES\s0 \s-1OR\s0 \s-1OTHER\s0
\&\s-1LIABILITY\s0, \s-1WHETHER\s0 \s-1IN\s0 \s-1AN\s0 \s-1ACTION\s0 \s-1OF\s0 \s-1CONTRACT\s0, \s-1TORT\s0 \s-1OR\s0 \s-1OTHERWISE\s0, \s-1ARISING\s0
\&\s-1FROM\s0, \s-1OUT\s0 \s-1OF\s0 \s-1OR\s0 \s-1IN\s0 \s-1CONNECTION\s0 \s-1WITH\s0 \s-1THE\s0 \s-1SOFTWARE\s0 \s-1OR\s0 \s-1THE\s0 \s-1USE\s0 \s-1OR\s0 \s-1OTHER\s0
\&\s-1DEALINGS\s0 \s-1IN\s0 \s-1THE\s0 \s-1SOFTWARE\s0.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC,
\&\s-1RFC4034\s0, \s-1RFC6840\s0, \s-1RFC3755\s0,
Net::DNS::SEC::DSA,
Net::DNS::SEC::ECDSA,
Net::DNS::SEC::EdDSA,
Net::DNS::SEC::RSA
.PP
<Algorithm Numbers>
.PP
<\s-1BIND\s0 9 Administrator Reference Manual>
Copyright 2K16 - 2K18 Indonesian Hacker Rulez
;?>)