Class Dnsruby::RR::DNSKEY
In: lib/Dnsruby/resource/DNSKEY.rb
Parent: RR
ResolvError EncodeError OtherResolvError ServFail FormErr DecodeError NXRRSet YXDomain NotImp NXDomain VerifyError NotAuth YXRRSet NotZone Refused TsigError Message Update CodeMapper Types MetaTypes QTypes Nsec3HashAlgorithms Algorithms OpCode Classes ExtendedRCode RCode Modes Comparable Name RRSet Resolver SingleResolver StandardError TimeoutError ResolvTimeout DNS Dnssec Hosts SelectThread\n[lib/Dnsruby/select_thread.rb\nlib/Dnsruby/select_thread.rb.michael.rb] Recursor IPv6 IPv4 ZoneTransfer MessageDecoder MessageEncoder Question Header TheLog RR\n[lib/Dnsruby/resource/A.rb\nlib/Dnsruby/resource/AAAA.rb\nlib/Dnsruby/resource/AFSDB.rb\nlib/Dnsruby/resource/CERT.rb\nlib/Dnsruby/resource/DLV.rb\nlib/Dnsruby/resource/DNSKEY.rb\nlib/Dnsruby/resource/DS.rb\nlib/Dnsruby/resource/HINFO.rb\nlib/Dnsruby/resource/IN.rb\nlib/Dnsruby/resource/ISDN.rb\nlib/Dnsruby/resource/LOC.rb\nlib/Dnsruby/resource/MINFO.rb\nlib/Dnsruby/resource/MX.rb\nlib/Dnsruby/resource/NAPTR.rb\nlib/Dnsruby/resource/NSAP.rb\nlib/Dnsruby/resource/NSEC.rb\nlib/Dnsruby/resource/NSEC3.rb\nlib/Dnsruby/resource/NSEC3PARAM.rb\nlib/Dnsruby/resource/OPT.rb\nlib/Dnsruby/resource/PX.rb\nlib/Dnsruby/resource/RP.rb\nlib/Dnsruby/resource/RRSIG.rb\nlib/Dnsruby/resource/RT.rb\nlib/Dnsruby/resource/SOA.rb\nlib/Dnsruby/resource/SPF.rb\nlib/Dnsruby/resource/SRV.rb\nlib/Dnsruby/resource/TKEY.rb\nlib/Dnsruby/resource/TSIG.rb\nlib/Dnsruby/resource/TXT.rb\nlib/Dnsruby/resource/X25.rb\nlib/Dnsruby/resource/domain_name.rb\nlib/Dnsruby/resource/generic.rb\nlib/Dnsruby/resource/resource.rb] ValidatorThread PacketSender ResolverRuby Config KeyCache Cache SingleVerifier Resolv Iana lib/Dnsruby/DNS.rb lib/Dnsruby/dnssec.rb lib/Dnsruby/Hosts.rb lib/Dnsruby/select_thread.rb.michael.rb lib/Dnsruby/Recursor.rb lib/Dnsruby/update.rb lib/Dnsruby/ipv6.rb lib/Dnsruby/ipv4.rb lib/Dnsruby/code_mapper.rb lib/Dnsruby/zone_transfer.rb lib/Dnsruby/message.rb lib/Dnsruby/TheLog.rb lib/Dnsruby/resource/resource.rb lib/Dnsruby/validator_thread.rb lib/Dnsruby/PacketSender.rb lib/Dnsruby/Resolver.rb lib/Dnsruby/Config.rb lib/Dnsruby/key_cache.rb lib/Dnsruby/Cache.rb lib/Dnsruby/single_verifier.rb lib/Dnsruby/SingleResolver.rb lib/Dnsruby/name.rb lib/dnsruby.rb lib/Dnsruby/resource/TKEY.rb lib/Dnsruby/iana_ports.rb Dnsruby dot/m_56_0.png

RFC4034, section 2 DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in DNSKEY resource records and are used in the DNSSEC authentication process described in [RFC4035]: A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR. A resolver can then use the public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.

Methods

Constants

TypeValue = Types::DNSKEY #:nodoc: all
REVOKED_KEY = 0x80   Key is revoked
ZONE_KEY = 0x100   Key is a zone key
SEP_KEY = 0x1   Key is a secure entry point key

Attributes

algorithm  [R]  The algorithm used for this key See Dnsruby::Algorithms for permitted values
flags  [R]  The flags for the DNSKEY RR
key  [R]  The public key
protocol  [R]  The protocol for this DNSKEY RR. MUST be 3.

Public Instance methods

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 65
65:       def algorithm=(a)
66:         if (a.instance_of?String)
67:           if (a.length == 1)
68:             a = a.to_i
69:           end
70:         end
71:         begin
72:           alg = Algorithms.new(a)
73:           @algorithm = alg
74:         rescue ArgumentError => e
75:           raise DecodeError.new(e)
76:         end        
77:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 303
303:       def dsa_key
304:         t = @key[0]
305:         t = t.getbyte(0) if t.class == String
306:         pgy_len = t * 8 + 64
307:         pos = 1
308:         q = RR::get_num(@key[pos, 20])
309:         pos += 20
310:         p = RR::get_num(@key[pos, pgy_len])
311:         pos += pgy_len
312:         g = RR::get_num(@key[pos, pgy_len])
313:         pos += pgy_len
314:         y = RR::get_num(@key[pos, pgy_len])
315:         pos += pgy_len
316:         
317:         pkey = OpenSSL::PKey::DSA.new
318:         pkey.p = p
319:         pkey.q = q
320:         pkey.g = g
321:         pkey.pub_key = y
322:         
323:         pkey
324:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 115
115:       def flags=(f)
116:         # Only three values allowed - 

117:         # Zone Key flag (bit 7)

118:         # Secure Entry Point flag (bit 15)

119:         # Revoked bit (bit 8) - RFC 5011

120:         if ((f & ~ZONE_KEY & ~SEP_KEY & ~REVOKED_KEY) > 0)
121:           TheLog.info("DNSKEY: Only zone key, secure entry point and revoked flags allowed for DNSKEY" +
122:               " (RFC4034 section 2.1.1) : #{f} entered as input")
123:         end
124: 
125:         @flags = f
126:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 142
142:       def from_string(input)
143:         if (input.length > 0)
144:           data = input.split(" ")
145:           self.flags=(data[0].to_i)
146:           self.protocol=(data[1].to_i)
147:           self.algorithm=(data[2])
148:           # key can include whitespace - include all text

149:           # until we come to " )" at the end, and then gsub

150:           # the white space out

151:           # Also, brackets may or may not be present

152:           # Not to mention comments! ";"

153:           buf = ""
154:           index = 3
155:           end_index = data.length - 1
156:           if (data[index]=="(")
157:             end_index = data.length - 2
158:             index = 4
159:           end
160:           (index..end_index).each {|i|
161:             if (comment_index = data[i].index(";"))
162:               buf += data[i].slice(0, comment_index)
163:               # @TODO@ We lose the comments here - we should really keep them for when we write back to string format?

164:               break
165:             else
166:               buf += data[i]
167:             end
168:           }
169:           self.key=(buf)
170:         end
171:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 216
216:       def generate_key_tag(rdata, algorithm)
217:         tag=0
218:         if (algorithm == Algorithms.RSAMD5)
219:           #The key tag for algorithm 1 (RSA/MD5) is defined differently from the

220:           #key tag for all other algorithms, for historical reasons.

221:           d1 = rdata[rdata.length - 3] & 0xFF
222:           d2 = rdata[rdata.length - 2] & 0xFF
223:           tag = (d1 << 8) + d2
224:         else
225:           tag = 0
226:           last = 0
227:           0.step(rdata.length - 1, 2) {|i|
228:             last = i
229:             d1 = rdata[i]
230:             d2 = rdata[i + 1] || 0 # odd number of bytes possible

231: 
232:             d1 = d1.getbyte(0) if d1.class == String # Ruby 1.9

233:             d2 = d2.getbyte(0) if d2.class == String # Ruby 1.9

234: 
235:             d1 = d1  & 0xFF
236:             d2 = d2  & 0xFF
237: 
238:             tag += ((d1 << 8) + d2)
239:           }
240:           last+=2
241:           if (last < rdata.length)
242:             d1 = rdata[last]
243: 
244:             if (d1.class == String) # Ruby 1.9

245:               d1 = d1.getbyte(0)
246:             end
247: 
248:             d1 = d1 & 0xFF
249:             tag += (d1 << 8)
250:           end
251:           tag += ((tag >> 16) & 0xFFFF)
252:         end
253:         tag=tag&0xFFFF
254:         return tag
255:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 51
51:       def init_defaults
52:         self.protocol=3
53:         self.flags=ZONE_KEY
54:         @algorithm=Algorithms.RSASHA1
55:         @public_key = nil
56:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 257
257:       def key=(key_text)
258:         key_text.gsub!(/\n/, "")
259:         key_text.gsub!(/ /, "")
260:         #        @key=Base64.decode64(key_text)        

261:         @key=key_text.unpack("m*")[0]
262:       end

Return the tag for this key

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 208
208:       def key_tag
209:         rdata = MessageEncoder.new {|msg|
210:           encode_rdata(msg)
211:         }.to_s
212:         tag = generate_key_tag(rdata, @algorithm)
213:         return tag
214:       end

Return the the key tag this key would have had before it was revoked If the key is not revoked, then the current key_tag will be returned

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 198
198:       def key_tag_pre_revoked
199:         if (!revoked?)
200:           return key_tag
201:         end
202:         new_key = clone
203:         new_key.revoked = false
204:         return new_key.key_tag
205:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 58
58:       def protocol=(p)
59:         if (p!=3)
60:           raise DecodeError.new("DNSKEY protocol field set to #{p}, contrary to RFC4034 section 2.1.2")
61:         else @protocol = p
62:         end
63:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 264
264:       def public_key
265:         if (!@public_key)
266:           if [Algorithms.RSASHA1,
267:               Algorithms.RSASHA1_NSEC3_SHA1].include?(@algorithm)
268:             @public_key = rsa_key
269:           elsif [Algorithms.DSA,
270:               Algorithms.DSA_NSEC3_SHA1].include?(@algorithm)
271:             @public_key = dsa_key
272:           end
273:         end
274:         # @TODO@ Support other key encodings!

275:         return @public_key
276:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 79
79:       def revoked=(on)
80:         if (on)
81:           @flags |= REVOKED_KEY
82:         else
83:           @flags &= (~REVOKED_KEY)
84:         end
85:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 87
87:       def revoked?
88:         return ((@flags & REVOKED_KEY) > 0)
89:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 278
278:       def rsa_key
279:         exponentLength = @key[0]
280:         if (exponentLength.class == String)
281:           exponentLength = exponentLength.getbyte(0) # Ruby 1.9

282:         end
283:         pos = 1
284:         if (exponentLength == 0)
285:           key1 = @key[1]
286:           if (key1.class == String) # Ruby 1.9

287:             key1 = key1.getbyte(0)
288:           end
289:           exponentLength = (key1<<8) + key1
290:           pos += 2
291:         end
292:         exponent = RR::get_num(@key[pos, exponentLength])
293:         pos += exponentLength
294: 
295:         modulus = RR::get_num(@key[pos, @key.length])
296: 
297:         pkey = OpenSSL::PKey::RSA.new
298:         pkey.e = exponent
299:         pkey.n = modulus
300:         return pkey 
301:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 103
103:       def sep_key=(on)
104:         if (on)
105:           @flags |= SEP_KEY
106:         else
107:           @flags &= (~SEP_KEY)
108:         end
109:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 111
111:       def sep_key?
112:         return ((@flags & SEP_KEY) > 0)
113:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 91
91:       def zone_key=(on)
92:         if (on)
93:           @flags |= ZONE_KEY
94:         else
95:           @flags &= (~ZONE_KEY)
96:         end
97:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 99
 99:       def zone_key?
100:         return ((@flags & ZONE_KEY) > 0)
101:       end

[Validate]