Provided by: libnet-dns-sec-perl_0.21-1_all 
NAME
Net::DNS::RR::SIG - DNS SIG resource record
SYNOPSIS
use Net::DNS;
$rr = new Net::DNS::RR('name SIG typecovered algorithm labels
orgttl sigexpiration siginception
keytag signame signature');
$rrsig = create Net::DNS::RR::SIG( $string, $keypath,
sigval => 60 # minutes
);
$sigrr->verify($string, $keyrr) || croak $sigrr->vrfyerrstr;
$sigrr->verify($packet, $keyrr) || croak $sigrr->vrfyerrstr;
DESCRIPTION
Class for DNS digital signature (SIG) resource records.
In addition to the regular methods inherited from Net::DNS::RR the class contains a method
to sign packets and scalar data strings using private keys (create) and a method for
verifying signatures.
The SIG RR is an implementation of RFC2931. See Net::DNS::RR::RRSIG for an implementation
of RFC4034.
METHODS
The available methods are those inherited from the base class augmented by the type-
specific methods defined in this package.
Use of undocumented package features or direct access to internal data structures is
discouraged and could result in program termination or other unpredictable behaviour.
typecovered
$typecovered = $rr->typecovered;
The typecovered field identifies the type of the RRset that is covered by this RRSIG
record.
algorithm
$algorithm = $rr->algorithm;
The algorithm number field identifies the cryptographic algorithm used to create the
signature.
algorithm() may also be invoked as a class method or simple function to perform mnemonic
and numeric code translation.
labels
$labels = $rr->labels;
$rr->labels( $labels );
The labels field specifies the number of labels in the original RRSIG RR owner name.
orgttl
$orgttl = $rr->orgttl;
$rr->orgttl( $orgttl );
The original TTL field specifies the TTL of the covered RRset as it appears in the
authoritative zone.
sigexpiration and siginception time
$expiration = $rr->sigexpiration;
$inception = $rr->siginception;
The signature expiration and inception fields specify a validity time interval for the
signature.
The value may be specified by a string with format 'yyyymmddhhmmss' or a Perl time()
value.
keytag
$keytag = $rr->keytag;
$rr->keytag( $keytag );
The keytag field contains the key tag value of the KEY RR that validates this signature.
signame
$signame = $rr->signame;
$rr->signame( $signame );
The signer name field value identifies the owner name of the KEY RR that a validator is
supposed to use to validate this signature.
signature
$signature = $rr->signature;
The Signature field contains the cryptographic signature that covers the SIG RDATA
(excluding the Signature field) and the subject data.
sigbin
$sigbin = $rr->sigbin;
$rr->sigbin( $sigbin );
Binary representation of the cryptographic signature.
create
Create a signature over scalar data.
use Net::DNS::SEC;
$keypath = '/home/olaf/keys/Kbla.foo.+001+60114.private';
$sigrr = create Net::DNS::RR::SIG( $data, $keypath );
$sigrr = create Net::DNS::RR::SIG( $data, $keypath,
sigin => 20130901010101
);
$sigrr->print;
# Alternatively use Net::DNS::SEC::Private
$private = Net::DNS::SEC::Private->new($keypath);
$sigrr= create Net::DNS::RR::SIG( $data, $private );
create() is an alternative constructor for a SIG RR object.
This method returns a SIG with the signature over the data made with the private key
stored in the key file.
The first argument is a scalar that contains the data to be signed.
The second argument is a string which specifies the path to a file containing the private
key as generated with dnssec-keygen, a program that comes with the ISC BIND distribution.
The optional remaining arguments consist of ( name => value ) pairs as follows:
sigin => 20130901010101, # signature inception
sigex => 20130901011101, # signature expiration
sigval => 10, # signature validity
The sigin and sigex values may be specified as Perl time values or as a string with the
format 'yyyymmddhhmmss'. The default for sigin is the time of signing.
The sigval argument specifies the signature validity window in minutes ( sigex = sigin +
sigval ). Sigval wins if sigex is also specified.
By default the signature is valid for 10 minutes.
Notes:
• Do not change the name of the file generated by dnssec-keygen, the create method uses
the filename as generated by dnssec-keygen to determine the keyowner, algorithm and
the keyid (keytag).
verify and vrfyerrstr
$sigrr->verify( $data, $keyrr ) || croak $sigrr->vrfyerrstr;
$sigrr->verify( $data, [$keyrr, $keyrr2, $keyrr3] )
|| croak $sigrr->vrfyerrstr;
$sigrr->verify( $packet, $keyrr ) || croak $sigrr->vrfyerrstr;
The verify() method performs SIG0 verification of the specified data against the signature
contained in the $sigrr object itself using the public key in $keyrr.
If a reference to a Net::DNS::Packet is supplied, the method performs a SIG0 verification
on the packet data.
The second argument can either be a Net::DNS::RR::KEYRR object or a reference to an array
of such objects. Verification will return successful as soon as one of the keys in the
array leads to positive validation.
Returns 0 on error and sets $sig->vrfyerrstr
Example
$sig0 = $packet->pop('additional');
print $sig0->vrfyerrstr unless $sig0->verify( $packet, $keyrr );
Remarks
The code is not optimized for speed.
TODO
If this code is still around in 2100 (not a leapyear) you will need to check for proper
handling of times ...
ACKNOWLEDGMENTS
Andy Vaskys (Network Associates Laboratories) supplied the code for handling RSA with SHA1
(Algorithm 5).
T.J. Mather, <tjmather@tjmather.com>, the Crypt::OpenSSL::DSA maintainer, for his quick
responses to bug report and feature requests.
COPYRIGHT
Copyright (c)2001-2005 RIPE NCC, Olaf M. Kolkman
Copyright (c)2007-2008 NLnet Labs, Olaf M. Kolkman
Portions Copyright (c)2014 Dick Franks
All Rights Reserved
Permission to use, copy, modify, and distribute this software and its documentation for
any purpose and without fee is hereby granted, provided that the above copyright notice
appear in all copies and that both that copyright notice and this permission notice appear
in supporting documentation, and that the name of the author not be used in advertising or
publicity pertaining to distribution of the software without specific prior written
permission.
THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO EVENT SHALL AUTHOR BE LIABLE FOR ANY
SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS
OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.
SEE ALSO
perl, Net::DNS, Net::DNS::RR, Net::DNS::SEC, RFC4034, RFC3755, RFC2535, RFC2931, RFC3110,
RFC3008, Crypt::OpenSSL::DSA, Crypt::OpenSSL::RSA