Class Dnsruby::RR::DNSKEY
In: lib/Dnsruby/resource/DNSKEY.rb
Parent: RR
Message Update ResolvError EncodeError OtherResolvError ServFail FormErr DecodeError NXRRSet YXDomain NotImp NXDomain VerifyError NotAuth YXRRSet NotZone Refused TsigError CodeMapper Types MetaTypes QTypes Nsec3HashAlgorithms Algorithms OpCode Classes ExtendedRCode Modes RCode Comparable Name RRSet TsigNotSignedResponseError Resolver SingleResolver StandardError TimeoutError ResolvTimeout DNS Dnssec Hosts RR\n[lib/Dnsruby/resource/A.rb\nlib/Dnsruby/resource/AAAA.rb\nlib/Dnsruby/resource/AFSDB.rb\nlib/Dnsruby/resource/CERT.rb\nlib/Dnsruby/resource/DHCID.rb\nlib/Dnsruby/resource/DLV.rb\nlib/Dnsruby/resource/DNSKEY.rb\nlib/Dnsruby/resource/DS.rb\nlib/Dnsruby/resource/HINFO.rb\nlib/Dnsruby/resource/HIP.rb\nlib/Dnsruby/resource/IN.rb\nlib/Dnsruby/resource/IPSECKEY.rb\nlib/Dnsruby/resource/ISDN.rb\nlib/Dnsruby/resource/KX.rb\nlib/Dnsruby/resource/LOC.rb\nlib/Dnsruby/resource/MINFO.rb\nlib/Dnsruby/resource/MX.rb\nlib/Dnsruby/resource/NAPTR.rb\nlib/Dnsruby/resource/NSAP.rb\nlib/Dnsruby/resource/NSEC.rb\nlib/Dnsruby/resource/NSEC3.rb\nlib/Dnsruby/resource/NSEC3PARAM.rb\nlib/Dnsruby/resource/OPT.rb\nlib/Dnsruby/resource/PX.rb\nlib/Dnsruby/resource/RP.rb\nlib/Dnsruby/resource/RRSIG.rb\nlib/Dnsruby/resource/RT.rb\nlib/Dnsruby/resource/SOA.rb\nlib/Dnsruby/resource/SPF.rb\nlib/Dnsruby/resource/SRV.rb\nlib/Dnsruby/resource/SSHFP.rb\nlib/Dnsruby/resource/TKEY.rb\nlib/Dnsruby/resource/TSIG.rb\nlib/Dnsruby/resource/TXT.rb\nlib/Dnsruby/resource/X25.rb\nlib/Dnsruby/resource/domain_name.rb\nlib/Dnsruby/resource/generic.rb\nlib/Dnsruby/resource/resource.rb] Recursor IPv6 IPv4 ZoneTransfer MessageDecoder MessageEncoder Question Header TheLog ValidatorThread PacketSender ResolverRuby Config KeyCache Cache SingleVerifier SelectThread Resolv ZoneReader lib/Dnsruby/DNS.rb lib/Dnsruby/dnssec.rb lib/Dnsruby/Hosts.rb lib/Dnsruby/resource/generic.rb lib/Dnsruby/Recursor.rb lib/Dnsruby/update.rb lib/Dnsruby/ipv6.rb lib/Dnsruby/ipv4.rb lib/Dnsruby/code_mapper.rb lib/Dnsruby/zone_transfer.rb lib/Dnsruby/message.rb lib/Dnsruby/TheLog.rb lib/Dnsruby/resource/resource.rb lib/Dnsruby/validator_thread.rb lib/Dnsruby/PacketSender.rb lib/Dnsruby/Resolver.rb lib/Dnsruby/Config.rb lib/Dnsruby/key_cache.rb lib/Dnsruby/Cache.rb lib/Dnsruby/single_verifier.rb lib/Dnsruby/SingleResolver.rb lib/Dnsruby/select_thread.rb lib/Dnsruby/name.rb lib/dnsruby.rb lib/Dnsruby/resource/TKEY.rb lib/Dnsruby/zone_reader.rb Dnsruby dot/m_61_0.png

RFC4034, section 2 DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in DNSKEY resource records and are used in the DNSSEC authentication process described in [RFC4035]: A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR. A resolver can then use the public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.

Methods

Constants

TypeValue = Types::DNSKEY #:nodoc: all
REVOKED_KEY = 0x80   Key is revoked
ZONE_KEY = 0x100   Key is a zone key
SEP_KEY = 0x1   Key is a secure entry point key

Attributes

algorithm  [R]  The algorithm used for this key See Dnsruby::Algorithms for permitted values
flags  [R]  The flags for the DNSKEY RR
key  [R]  The public key
key_length  [R]  The length (in bits) of the key - NOT key.length
protocol  [R]  The protocol for this DNSKEY RR. MUST be 3.

Public Instance methods

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 71
71:       def algorithm=(a)
72:         if (a.instance_of?String)
73:           if (a.to_i > 0)
74:             a = a.to_i
75:           end
76:         end
77:         begin
78:           alg = Algorithms.new(a)
79:           @algorithm = alg
80:         rescue ArgumentError => e
81:           raise DecodeError.new(e)
82:         end        
83:         get_new_key_tag
84:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 348
348:       def dsa_key
349:         t = @key[0]
350:         t = t.getbyte(0) if t.class == String
351:         pgy_len = t * 8 + 64
352:         pos = 1
353:         q = RR::get_num(@key[pos, 20])
354:         pos += 20
355:         p = RR::get_num(@key[pos, pgy_len])
356:         pos += pgy_len
357:         g = RR::get_num(@key[pos, pgy_len])
358:         pos += pgy_len
359:         y = RR::get_num(@key[pos, pgy_len])
360:         pos += pgy_len
361:         @key_length = (pgy_len * 8)
362:         
363:         pkey = OpenSSL::PKey::DSA.new
364:         pkey.p = p
365:         pkey.q = q
366:         pkey.g = g
367:         pkey.pub_key = y
368:         
369:         pkey
370:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 125
125:       def flags=(f)
126:         # Only three values allowed - 

127:         # Zone Key flag (bit 7)

128:         # Secure Entry Point flag (bit 15)

129:         # Revoked bit (bit 8) - RFC 5011

130:         if ((f & ~ZONE_KEY & ~SEP_KEY & ~REVOKED_KEY) > 0)
131:           TheLog.info("DNSKEY: Only zone key, secure entry point and revoked flags allowed for DNSKEY" +
132:               " (RFC4034 section 2.1.1) : #{f} entered as input")
133:         end
134: 
135:         @flags = f
136:         get_new_key_tag
137:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 165
165:       def from_string(input)
166:         if (input.length > 0)
167:           @make_new_key_tag = false
168:           data = input.split(" ")
169:           self.flags=(data[0].to_i)
170:           self.protocol=(data[1].to_i)
171:           self.algorithm=(data[2])
172:           # key can include whitespace - include all text

173:           # until we come to " )" at the end, and then gsub

174:           # the white space out

175:           # Also, brackets may or may not be present

176:           # Not to mention comments! ";"

177:           buf = ""
178:           index = 3
179:           end_index = data.length - 1
180:           if (data[index]=="(")
181:             end_index = data.length - 2
182:             index = 4
183:           end
184:           (index..end_index).each {|i|
185:             if (comment_index = data[i].index(";"))
186:               buf += data[i].slice(0, comment_index)
187:               # @TODO@ We lose the comments here - we should really keep them for when we write back to string format?

188:               break
189:             else
190:               buf += data[i]
191:             end
192:           }
193:           self.key=(buf)
194:           @make_new_key_tag = true
195:           get_new_key_tag
196:         end
197:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 252
252:       def generate_key_tag(rdata, algorithm)
253:         tag=0
254:         if (algorithm == Algorithms.RSAMD5)
255:           #The key tag for algorithm 1 (RSA/MD5) is defined differently from the

256:           #key tag for all other algorithms, for historical reasons.

257:           d1 = rdata[rdata.length - 3] & 0xFF
258:           d2 = rdata[rdata.length - 2] & 0xFF
259:           tag = (d1 << 8) + d2
260:         else
261:           tag = 0
262:           last = 0
263:           0.step(rdata.length - 1, 2) {|i|
264:             last = i
265:             d1 = rdata[i]
266:             d2 = rdata[i + 1] || 0 # odd number of bytes possible

267: 
268:             d1 = d1.getbyte(0) if d1.class == String # Ruby 1.9

269:             d2 = d2.getbyte(0) if d2.class == String # Ruby 1.9

270: 
271:             d1 = d1  & 0xFF
272:             d2 = d2  & 0xFF
273: 
274:             tag += ((d1 << 8) + d2)
275:           }
276:           last+=2
277:           if (last < rdata.length)
278:             d1 = rdata[last]
279: 
280:             if (d1.class == String) # Ruby 1.9

281:               d1 = d1.getbyte(0)
282:             end
283: 
284:             d1 = d1 & 0xFF
285:             tag += (d1 << 8)
286:           end
287:           tag += ((tag >> 16) & 0xFFFF)
288:         end
289:         tag=tag&0xFFFF
290:         return tag
291:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 233
233:       def get_new_key_tag
234:         if (@make_new_key_tag)
235:           rdata = MessageEncoder.new {|msg|
236:             encode_rdata(msg)
237:           }.to_s
238:           tag = generate_key_tag(rdata, @algorithm)
239:           @key_tag = tag
240:         end
241:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 53
53:       def init_defaults
54:         @make_new_key_tag = false
55:         self.protocol=3
56:         self.flags=ZONE_KEY
57:         @algorithm=Algorithms.RSASHA1
58:         @public_key = nil
59:         @key_tag = nil
60:         @make_new_key_tag = true
61:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 293
293:       def key=(key_text)
294:         begin
295:           key_text.gsub!(/\n/, "")
296:           key_text.gsub!(/ /, "")
297:           #        @key=Base64.decode64(key_text)

298:           @key=key_text.unpack("m*")[0]
299:           public_key
300:           get_new_key_tag
301:         rescue Exception
302:           raise ArgumentError.new("Key #{key_text} invalid")
303:         end
304:       end

Return the tag for this key

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 244
244:       def key_tag
245:         if (!@key_tag)
246:           @make_new_key_tag = true
247:           get_new_key_tag
248:         end
249:         return @key_tag
250:       end

Return the the key tag this key would have had before it was revoked If the key is not revoked, then the current key_tag will be returned

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 224
224:       def key_tag_pre_revoked
225:         if (!revoked?)
226:           return key_tag
227:         end
228:         new_key = clone
229:         new_key.revoked = false
230:         return new_key.key_tag
231:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 63
63:       def protocol=(p)
64:         if (p!=3)
65:           raise DecodeError.new("DNSKEY protocol field set to #{p}, contrary to RFC4034 section 2.1.2")
66:         else @protocol = p
67:         end
68:         get_new_key_tag
69:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 306
306:       def public_key
307:         if (!@public_key)
308:           if [Algorithms.RSASHA1,
309:               Algorithms.RSASHA256,
310:               Algorithms.RSASHA512,
311:               Algorithms.RSASHA1_NSEC3_SHA1].include?(@algorithm)
312:             @public_key = rsa_key
313:           elsif [Algorithms.DSA,
314:               Algorithms.DSA_NSEC3_SHA1].include?(@algorithm)
315:             @public_key = dsa_key
316:           end
317:         end
318:         # @TODO@ Support other key encodings!

319:         return @public_key
320:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 86
86:       def revoked=(on)
87:         if (on)
88:           @flags |= REVOKED_KEY
89:         else
90:           @flags &= (~REVOKED_KEY)
91:         end
92:         get_new_key_tag
93:       end

[Source]

    # File lib/Dnsruby/resource/DNSKEY.rb, line 95
95:       def revoked?
96:         return ((@flags & REVOKED_KEY) > 0)
97:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 322
322:       def rsa_key
323:         exponentLength = @key[0]
324:         if (exponentLength.class == String)
325:           exponentLength = exponentLength.getbyte(0) # Ruby 1.9

326:         end
327:         pos = 1
328:         if (exponentLength == 0)
329:           key1 = @key[1]
330:           if (key1.class == String) # Ruby 1.9

331:             key1 = key1.getbyte(0)
332:           end
333:           exponentLength = (key1<<8) + key1
334:           pos += 2
335:         end
336:         exponent = RR::get_num(@key[pos, exponentLength])
337:         pos += exponentLength
338: 
339:         modulus = RR::get_num(@key[pos, @key.length])
340:         @key_length = (@key.length - pos) * 8
341: 
342:         pkey = OpenSSL::PKey::RSA.new
343:         pkey.e = exponent
344:         pkey.n = modulus
345:         return pkey 
346:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 112
112:       def sep_key=(on)
113:         if (on)
114:           @flags |= SEP_KEY
115:         else
116:           @flags &= (~SEP_KEY)
117:         end
118:         get_new_key_tag
119:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 121
121:       def sep_key?
122:         return ((@flags & SEP_KEY) > 0)
123:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 99
 99:       def zone_key=(on)
100:         if (on)
101:           @flags |= ZONE_KEY
102:         else
103:           @flags &= (~ZONE_KEY)
104:         end
105:         get_new_key_tag
106:       end

[Source]

     # File lib/Dnsruby/resource/DNSKEY.rb, line 108
108:       def zone_key?
109:         return ((@flags & ZONE_KEY) > 0)
110:       end

[Validate]