Ubuntu Manpage: Net::DNS::Keyset - DNSSEC Keyset object class

name
synopsis
description
copyright

Provided by: libnet-dns-sec-perl_0.16-2_all

NAME

           Net::DNS::Keyset - DNSSEC Keyset object class

SYNOPSIS

       use Net::DNS::Keyset;

DESCRIPTION

       A keyset is a "administrative" unit used for DNSSEC maintenance.

       The bind dnssec-signzone tool uses it to genertate DS records. This class provides interfaces for reading
       keysets, creating and parsing them.

       Note that this class is still being developed. Attributes and methods are subject to change.

   new (from file)
           $keyset=Net::DNS::Keyset->new("keyset-example.tld");

       Creator method, will read the specified keyset file and return a keyset object. Fails if not all keys in
       the set are self-signed.

       Sets $Net::DNS::Keyset::keyset_err and returns 0 on failure.

   new (by signing keys)
           $keyset=Net::DNS::Keyset->new(\@keyrr,$privatekeypath);

       Creates a keyset object from the keys provided through the reference to an array of Net::DNS::RR::Key
       objects.

       The method will create selfsign the whole keyset. The private keys as generated by the BIND dnssec-keygen
       tool are assumed to be in the current directory or, if specified, in the directory indicat by the
       $privatekeypath.

       Sets $Net::DNS::Keyset::keyset_err and returns 0 on failure.

   new (from keys and sig RRsets)
           $keyset=Net::DNS::Keyset->new(\@keyrr,\@sigrr);

       Creates a keyset object from the keys provided through the reference to an array of Net::DNS::RR::DNSKEY
       and Net::DNS::RR::RRSIG objects.

       Sets $Net::DNS::Keyset::keyset_err and returns 0 on failure.

   new (from Packet)
           $res = Net::DNS::Resolver->new;
           $res->dnssec(1);

           $packet = $res->query ("example.com", "DNSKEY", "IN");

           $keyset=Net::DNS::Keyset->new($packet)

           die "Corrupted selfsignature " if ! $keyset->verify;

       Creates a keyset object from a Net::DNS::Packet that contains the answer to a query for the apex key
       records.

       This is the method you want to use for automatically fetching keys.

       Sets $Net::DNS::Keyset::keyset_err and returns 0 on failure.

   keys
           @keyrr=$keyset->keys;

       Returns an array of Net::DNS::RR::Key objects

   sigs
           @keyrr=$keyset->sigs;

       Returns an array of Net::DNS::RR::Sig objects

   verify
           die $Net::DNS::Keyset::keyset_err if $keyset->verify;

       If no arguments are given:

           - Verifies if all signatures present verify the keyset.
           - Verifies if there are DNSKEYs with the SEP flag set there is
             at least one RRSIG made using that key
           - Verifies that if there are no DNSKEYS with the SEP flag set there is
             at lease one RRSIG made with one of the keys from the keyset.

       If an argument is given it is should be the KEYID of one of the keys in the keyset and the method
       verifies if the the RRSIG with that made with that key verifies.

       The argument returns 0 if verification fails and sets $Net::DNS::Keyset::keyset_err.

       If verification succeeds an array is returne with the key-tags of the keys for which signatures verified.

   print
           $keyset->print;

       Prints the keyset

   string
           $keysetstring=$keyset->string;

       Returns a string representation of the keyset

           print $keyset->string;
           is similar to
           $keyset->print;

   extract_ds
           @ds=$keyset->extract_ds;
           foreach $ds (@ds) {
               $ds->print;
           }

       Extracts DS records from the keyset. Note that the keyset will be verified during extraction: All keys
       will need to have a valid selfsignature.

   writekeyset
           die $Net::DNS::Keyset::keyset_err if ! $keyset->writekeyset($prefix, $path);

       Writes the keyset to a file named "keyset-<domain>." in the current working directory or the directory
       defined by $path. $prefix specifies an optional prefix that will be prepended to the string
       "keyset-<domain>."  Returns 0 on failure and sets keyset_err.

COPYRIGHT

       Copyright (c) 2002 RIPE NCC.  Author Olaf M. Kolkman <net-dns-sec@ripe.net>

       All Rights Reserved

       Permission to use, copy, modify, and distribute this software and its documentation for any purpose and
       without fee is hereby granted, provided that the above copyright notice appear in all copies and that
       both that copyright notice and this permission notice appear in supporting documentation, and that the
       name of the author not be used in advertising or publicity pertaining to distribution of the software
       without specific, written prior permission.

       THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF
       MERCHANTABILITY AND FITNESS; IN NO EVENT SHALL AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR
       CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
       AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE
       OR PERFORMANCE OF THIS SOFTWARE.