Class Dnsruby::RR::RRSIG
In: lib/Dnsruby/resource/RRSIG.rb
Parent: RR
Message Update ResolvError EncodeError OtherResolvError ServFail FormErr DecodeError NXRRSet YXDomain NotImp NXDomain VerifyError NotAuth YXRRSet NotZone Refused TsigError CodeMapper Types MetaTypes QTypes Nsec3HashAlgorithms Algorithms OpCode Classes ExtendedRCode Modes RCode Comparable Name RRSet TsigNotSignedResponseError Resolver SingleResolver StandardError TimeoutError ResolvTimeout DNS Dnssec Hosts RR\n[lib/Dnsruby/resource/A.rb\nlib/Dnsruby/resource/AAAA.rb\nlib/Dnsruby/resource/AFSDB.rb\nlib/Dnsruby/resource/CERT.rb\nlib/Dnsruby/resource/DHCID.rb\nlib/Dnsruby/resource/DLV.rb\nlib/Dnsruby/resource/DNSKEY.rb\nlib/Dnsruby/resource/DS.rb\nlib/Dnsruby/resource/HINFO.rb\nlib/Dnsruby/resource/HIP.rb\nlib/Dnsruby/resource/IN.rb\nlib/Dnsruby/resource/IPSECKEY.rb\nlib/Dnsruby/resource/ISDN.rb\nlib/Dnsruby/resource/KX.rb\nlib/Dnsruby/resource/LOC.rb\nlib/Dnsruby/resource/MINFO.rb\nlib/Dnsruby/resource/MX.rb\nlib/Dnsruby/resource/NAPTR.rb\nlib/Dnsruby/resource/NSAP.rb\nlib/Dnsruby/resource/NSEC.rb\nlib/Dnsruby/resource/NSEC3.rb\nlib/Dnsruby/resource/NSEC3PARAM.rb\nlib/Dnsruby/resource/OPT.rb\nlib/Dnsruby/resource/PX.rb\nlib/Dnsruby/resource/RP.rb\nlib/Dnsruby/resource/RRSIG.rb\nlib/Dnsruby/resource/RT.rb\nlib/Dnsruby/resource/SOA.rb\nlib/Dnsruby/resource/SPF.rb\nlib/Dnsruby/resource/SRV.rb\nlib/Dnsruby/resource/SSHFP.rb\nlib/Dnsruby/resource/TKEY.rb\nlib/Dnsruby/resource/TSIG.rb\nlib/Dnsruby/resource/TXT.rb\nlib/Dnsruby/resource/X25.rb\nlib/Dnsruby/resource/domain_name.rb\nlib/Dnsruby/resource/generic.rb\nlib/Dnsruby/resource/resource.rb] Recursor IPv6 IPv4 ZoneTransfer MessageDecoder MessageEncoder Question Header TheLog ValidatorThread PacketSender ResolverRuby Config KeyCache Cache SingleVerifier SelectThread Resolv ZoneReader lib/Dnsruby/DNS.rb lib/Dnsruby/dnssec.rb lib/Dnsruby/Hosts.rb lib/Dnsruby/resource/generic.rb lib/Dnsruby/Recursor.rb lib/Dnsruby/update.rb lib/Dnsruby/ipv6.rb lib/Dnsruby/ipv4.rb lib/Dnsruby/code_mapper.rb lib/Dnsruby/zone_transfer.rb lib/Dnsruby/message.rb lib/Dnsruby/TheLog.rb lib/Dnsruby/resource/resource.rb lib/Dnsruby/validator_thread.rb lib/Dnsruby/PacketSender.rb lib/Dnsruby/Resolver.rb lib/Dnsruby/Config.rb lib/Dnsruby/key_cache.rb lib/Dnsruby/Cache.rb lib/Dnsruby/single_verifier.rb lib/Dnsruby/SingleResolver.rb lib/Dnsruby/select_thread.rb lib/Dnsruby/name.rb lib/dnsruby.rb lib/Dnsruby/resource/TKEY.rb lib/Dnsruby/zone_reader.rb Dnsruby dot/m_61_0.png
 (RFC4034, section 3)

DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). Digital signatures are stored in RRSIG resource records and are used in the DNSSEC authentication process described in [RFC4035]. A validator can use these RRSIG RRs to authenticate RRsets from the zone. The RRSIG RR MUST only be used to carry verification material (digital signatures) used to secure DNS operations.

An RRSIG record contains the signature for an RRset with a particular name, class, and type. The RRSIG RR specifies a validity interval for the signature and uses the Algorithm, the Signer‘s Name, and the Key Tag to identify the DNSKEY RR containing the public key that a validator can use to verify the signature.

Methods

Constants

TypeValue = Types::RRSIG #:nodoc: all

Attributes

algorithm  [R]  The algorithm used for this RRSIG See Dnsruby::Algorithms for permitted values
expiration  [RW]  The signature expiration
inception  [RW]  The signature inception
key_tag  [RW]  The key tag value of the DNSKEY RR that validates this signature
labels  [RW]  The number of labels in the original RRSIG RR owner name Can be used to determine if name was synthesised from a wildcard.
original_ttl  [RW]  The TTL of the covered RRSet as it appears in the authoritative zone
signature  [RW]  contains the cryptographic signature that covers the RRSIG RDATA (excluding the Signature field) and the RRset specified by the RRSIG owner name, RRSIG class, and RRSIG Type Covered field
signers_name  [R]  identifies the owner name of the DNSKEY RR that a validator is supposed to use to validate this signature
type_covered  [R]  The type covered by this RRSIG

Public Class methods

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 183
183:       def RRSIG.get_time(input)
184:         if (input.kind_of?Fixnum)
185:           return input
186:         end
187:         # RFC 4034, section 3.2

188:         #The Signature Expiration Time and Inception Time field values MUST be

189:         #   represented either as an unsigned decimal integer indicating seconds

190:         #   since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in

191:         #   UTC, where:

192:         #

193:         #      YYYY is the year (0001-9999, but see Section 3.1.5);

194:         #      MM is the month number (01-12);

195:         #      DD is the day of the month (01-31);

196:         #      HH is the hour, in 24 hour notation (00-23);

197:         #      mm is the minute (00-59); and

198:         #      SS is the second (00-59).

199:         #

200:         #   Note that it is always possible to distinguish between these two

201:         #   formats because the YYYYMMDDHHmmSS format will always be exactly 14

202:         #   digits, while the decimal representation of a 32-bit unsigned integer

203:         #   can never be longer than 10 digits.

204:         if (input.length == 10)
205:           return input.to_i
206:         elsif (input.length == 14)
207:           year = input[0,4]
208:           mon=input[4,2]
209:           day=input[6,2]
210:           hour=input[8,2]
211:           min=input[10,2]
212:           sec=input[12,2]
213:           # @TODO@ REPLACE THIS BY LOCAL CODE - Time.gm DOG SLOW!

214:           return Time.gm(year, mon, day, hour, min, sec).to_i
215:         else
216:           raise DecodeError.new("RRSIG : Illegal time value #{input} - see RFC 4034 section 3.2")
217:         end
218:       end

Public Instance methods

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 102
102:       def algorithm=(a)
103:         if (a.instance_of?String)
104:           if (a.to_i > 0)
105:             a = a.to_i
106:           end
107:         end
108:         begin
109:           alg = Algorithms.new(a)
110:           @algorithm = alg
111:         rescue ArgumentError => e
112:           raise DecodeError.new(e)
113:         end        
114:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 224
224:       def format_time(time)
225:         return Time.at(time).gmtime.strftime("%Y%m%d%H%M%S")
226:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 145
145:       def from_string(input)
146:         if (input.length > 0)
147:           data = input.split(" ")
148:           self.type_covered=(data[0])
149:           self.algorithm=(data[1])
150:           self.labels=data[2].to_i
151:           self.original_ttl=data[3].to_i
152:           self.expiration=get_time(data[4])
153:           # Brackets may also be present

154:           index = 5
155:           end_index = data.length - 1
156:           if (data[index]=="(")
157:             index = 6
158:             end_index = data.length - 2
159:           end
160:           self.inception=get_time(data[index])
161:           self.key_tag=data[index+1].to_i
162:           self.signers_name=(data[index+2])
163:           # signature can include whitespace - include all text

164:           # until we come to " )" at the end, and then gsub

165:           # the white space out 

166:           buf=""
167:           (index+3..end_index).each {|i|
168:             if (comment_index = data[i].index(";"))
169:               buf += data[i].slice(0, comment_index)
170:               # @TODO@ We lose the comments here - we should really keep them for when we write back to string format?

171:               break
172:             else
173:             buf += data[i]
174:             end
175:           }
176:           buf.gsub!(/\n/, "")
177:           buf.gsub!(/ /, "")
178:           #self.signature=Base64.decode64(buf)

179:           self.signature=buf.unpack("m*")[0]
180:         end
181:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 220
220:       def get_time(input)
221:         return RRSIG.get_time(input)
222:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 90
 90:       def init_defaults
 91:         @algorithm=Algorithms.RSASHA1
 92:         @type_covered = Types::A
 93:         @original_ttl = 3600
 94:         @inception = Time.now.to_i
 95:         @expiration = Time.now.to_i
 96:         @key_tag = 0
 97:         @labels = 0
 98:         self.signers_name="."
 99:         @signature = "\0"
100:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 261
261:       def sig_data
262:         #RRSIG_RDATA is the wire format of the RRSIG RDATA fields

263:         #with the Signer's Name field in canonical form and

264:         #the Signature field excluded;

265:         data = MessageEncoder.new { |msg|
266:           msg.put_pack('ncc', @type_covered.to_i, @algorithm.to_i, @labels)
267:           msg.put_pack("NNN", @original_ttl, @expiration, @inception)
268:           msg.put_pack("n", @key_tag)
269:           msg.put_name(@signers_name, true)
270:         }.to_s
271:         return data
272:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 125
125:       def signers_name=(s)
126:         begin
127:           name = Name.create(s)
128:           @signers_name = name
129:         rescue ArgumentError => e
130:           raise DecodeError.new(e)
131:         end        
132:       end

[Source]

     # File lib/Dnsruby/resource/RRSIG.rb, line 116
116:       def type_covered=(t)
117:         begin
118:           type = Types.new(t)
119:           @type_covered = type
120:         rescue ArgumentError => e
121:           raise DecodeError.new(e)
122:         end        
123:       end

[Validate]