Provided by: libnet-dns-sec-perl_0.16-2_all bug

NAME

       Net::DNS::RR::RRSIG - DNS RRSIG resource record

SYNOPSIS

       "use Net::DNS::RR;"

DESCRIPTION

       Class for DNS Address (RRSIG) resource records. In addition to the regular methods in the
       Net::DNS::RR the Class contains a method to sign RRsets using private keys (create). And a
       class for verifying signatures over RRsets (verify).

       The RRSIG RR is an implementation of RFC 4034.  See Net::DNS::RR::SIG for an
       impelementation of SIG0 (RFC 2931).

METHODS

   create
       Create a signature over a RR set.

           my $keypath=
                   "/home/olaf/keys/Kbla.foo.+001+60114.private";
           my $sigrr= create Net::DNS::RR::RRSIG(\@datarrset,
                                               $keypath);
           my $sigrr= create Net::DNS::RR::RRSIG(\@datarrset,
                                               $keypath,
                                               %arguments);
           $sigrr->print;

           #Alternatively use Net::DNS::SEC::Private

           my $private=Net::DNS::SEC::Private-new(
               "/home/olaf/keys/Kbla.foo.+001+60114.private");
           my $sigrr= create Net::DNS::RR::RRSIG(\@datarrset,
                                                 $private);

       create is an alternative constructor for a RRSIG RR object.

       The first argument is either reference to an array that contains the RRset that needs to
       be signed.

       The second argument is a string containing the path to a file containing the the private
       key as generated with dnssec-keygen, a program that commes with the bind distribution.

       The third argument is an anonymous hash containing the following possible arguments:

           ( ttl => 3600,                        # TTL
             sigin =>   20010501010101,          # signature inception
             sigex =>   20010501010101,          # signature expiration
             sigval => 1.5                       # signature validity
             )

       The default for the ttl is 3600 seconds. sigin and sigex need to be specified in the
       following format 'yyyymmddhhmmss'. The default for sigin is the time of signing.

       sigval is the validity of the signature in minutes for SIG0s and days for other signatures
       (sigex=sigin+sigval).  If sigval is specified then sigex is ignored. The default for
       sigval is 5 minutes for SIG0s and 30 days other types of signatures.

       Notes:

       - Do not change the name of the file generated by dnssec-keygen, the
         create method uses the filename as generated by dnssec-keygen to
         determine the keyowner, algorithm and the keyid (keytag).

       - Only RSA signatures (algorithm 1,5 and 7) and DSA signatures
         (algorithm 3, and 6) have been implemented.

   typecovered
           print "typecovered =", $rr->typecovered, "\n"

       Returns the qtype covered by the sig.

   algorithm
           print "algorithm =", $rr->algorithm, "\n"

       Returns the algorithm number used for the signature

   labels
           print "labels =", $rr->labels, "\n"

       Returns the the number of labels of the RRs over wich the sig was made.

   orgttl
           print "orgttl =", $rr->orgttl, "\n"

       Returns the RRs the original TTL of the signature

   sigexpiration
           print "sigexpiration =", $rr->sigexpiration, "\n"

       Returns the expiration date of the signature

   siginception
           print "siginception =", $rr->siginception, "\n"

       Returns the date the signature was incepted.

   keytag
           print "keytag =", $rr->keytag, "\n"

       Returns the the keytag (key id) of the key the sig was made with.  Read "KeyID Bug in
       bind." below.

   signame
           print "signame =", $rr->signame, "\n"

       Returns the name of the public KEY RRs  this sig was made with.

   sig
           print "sig =", $rr->sig, "\n"

       Returns the base64 representation of the signature.

   verify and vrfyerrstr
           $sigrr->verify($data, $keyrr) || croak $sigrr->vrfyerrstr;
           $sigrr->verify($data, [$keyrr, $keyrr2, $keyrr3]) ||
                         croak $sigrr->vrfyerrstr;

       If $data contains a reference to an array of RR objects then them method verifies the
       RRset against the signature contained in the $sigrr object itself using the public key in
       $keyrr.  Because of the KeyID bug in bind (see below) a check on keyid is not performed.

       If $data contains a reference to a Net::DNS::Packet and if $sig->type equals zero a a sig0
       verification is performed. Note that the signature needs to be 'popped' from the packet
       before verifying.

       The second argument can either be a Net::DNS::RR::KEYRR object or a reference to an array
       of such objects. Verification will return successful as soon as one of the keys in the
       array leads to positive validation.

       Returns 0 on error and sets $sig->vrfyerrstr

   Example
          my $sigrr=$packet->pop("additional");
          print $sigrr->vrfyerrstr unless $sigrr1->verify($update1, $keyrr1);

Remarks

       - The code is not optimized for speed whatsoever. It is probably not suitable to be used
       for signing large zones.

TODO

       - Clean up the code.

       - If this code is still around by 2030 you have a few years to check the proper handling
       of times...

       - Add wildcard handling

ACKNOWLEDGMENTS

       Andy Vaskys (Network Associates Laboratories) supplied the code for handling RSA with SHA1
       (Algorithm 5).

       Chris Reinardt for maintianing Net::DNS.

       T.J. Mather, <tjmather@tjmather.com>, the Crypt::OpenSSL::DSA maintainer, for his quick
       responses to bug report and feature requests.

COPYRIGHT

       Copyright (c) 2001 - 2005  RIPE NCC.  Author Olaf M. Kolkman Copyright (c) 2007 - 2008
       NLnet Labs.  Author Olaf M. Kolkman <olaf@net-dns.org>

       All Rights Reserved

       Permission to use, copy, modify, and distribute this software and its documentation for
       any purpose and without fee is hereby granted, provided that the above copyright notice
       appear in all copies and that both that copyright notice and this permission notice appear
       in supporting documentation, and that the name of the author not be used in advertising or
       publicity pertaining to distribution of the software without specific, written prior
       permission.

       THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED
       WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO EVENT SHALL AUTHOR BE LIABLE FOR ANY
       SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
       OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
       ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

       Based on, and contains, code by Copyright (c) 1997 Michael Fuhr.

       This code uses Crypt::OpenSSL which uses the openssl library

SEE ALSO

       http://www.net-dns.org/ <http://www.net-dns.org/>

       perl(1), Net::DNS, Net::DNS::Resolver, Net::DNS::Packet, Net::DNS::Header,
       Net::DNS::Question, Net::DNS::RR,Crypt::OpenSSL::RSA, Crypt::OpenSSL::DSA,
       Net::DNS::SEC::Private, RFC 4034