Class | Dnsruby::RR::RRSIG |
In: |
lib/Dnsruby/resource/RRSIG.rb
|
Parent: | RR |
(RFC4034, section 3)
DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). Digital signatures are stored in RRSIG resource records and are used in the DNSSEC authentication process described in [RFC4035]. A validator can use these RRSIG RRs to authenticate RRsets from the zone. The RRSIG RR MUST only be used to carry verification material (digital signatures) used to secure DNS operations.
An RRSIG record contains the signature for an RRset with a particular name, class, and type. The RRSIG RR specifies a validity interval for the signature and uses the Algorithm, the Signer‘s Name, and the Key Tag to identify the DNSKEY RR containing the public key that a validator can use to verify the signature.
TypeValue | = | Types::RRSIG #:nodoc: all |
algorithm | [R] | The algorithm used for this RRSIG See Dnsruby::Algorithms for permitted values |
expiration | [RW] | The signature expiration |
inception | [RW] | The signature inception |
key_tag | [RW] | The key tag value of the DNSKEY RR that validates this signature |
labels | [RW] | The number of labels in the original RRSIG RR owner name Can be used to determine if name was synthesised from a wildcard. |
original_ttl | [RW] | The TTL of the covered RRSet as it appears in the authoritative zone |
signature | [RW] | contains the cryptographic signature that covers the RRSIG RDATA (excluding the Signature field) and the RRset specified by the RRSIG owner name, RRSIG class, and RRSIG Type Covered field |
signers_name | [R] | identifies the owner name of the DNSKEY RR that a validator is supposed to use to validate this signature |
type_covered | [R] | The type covered by this RRSIG |
# File lib/Dnsruby/resource/RRSIG.rb, line 183 183: def RRSIG.get_time(input) 184: if (input.kind_of?Fixnum) 185: return input 186: end 187: # RFC 4034, section 3.2 188: #The Signature Expiration Time and Inception Time field values MUST be 189: # represented either as an unsigned decimal integer indicating seconds 190: # since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in 191: # UTC, where: 192: # 193: # YYYY is the year (0001-9999, but see Section 3.1.5); 194: # MM is the month number (01-12); 195: # DD is the day of the month (01-31); 196: # HH is the hour, in 24 hour notation (00-23); 197: # mm is the minute (00-59); and 198: # SS is the second (00-59). 199: # 200: # Note that it is always possible to distinguish between these two 201: # formats because the YYYYMMDDHHmmSS format will always be exactly 14 202: # digits, while the decimal representation of a 32-bit unsigned integer 203: # can never be longer than 10 digits. 204: if (input.length == 10) 205: return input.to_i 206: elsif (input.length == 14) 207: year = input[0,4] 208: mon=input[4,2] 209: day=input[6,2] 210: hour=input[8,2] 211: min=input[10,2] 212: sec=input[12,2] 213: # @TODO@ REPLACE THIS BY LOCAL CODE - Time.gm DOG SLOW! 214: return Time.gm(year, mon, day, hour, min, sec).to_i 215: else 216: raise DecodeError.new("RRSIG : Illegal time value #{input} - see RFC 4034 section 3.2") 217: end 218: end
# File lib/Dnsruby/resource/RRSIG.rb, line 102 102: def algorithm=(a) 103: if (a.instance_of?String) 104: if (a.to_i > 0) 105: a = a.to_i 106: end 107: end 108: begin 109: alg = Algorithms.new(a) 110: @algorithm = alg 111: rescue ArgumentError => e 112: raise DecodeError.new(e) 113: end 114: end
# File lib/Dnsruby/resource/RRSIG.rb, line 224 224: def format_time(time) 225: return Time.at(time).gmtime.strftime("%Y%m%d%H%M%S") 226: end
# File lib/Dnsruby/resource/RRSIG.rb, line 145 145: def from_string(input) 146: if (input.length > 0) 147: data = input.split(" ") 148: self.type_covered=(data[0]) 149: self.algorithm=(data[1]) 150: self.labels=data[2].to_i 151: self.original_ttl=data[3].to_i 152: self.expiration=get_time(data[4]) 153: # Brackets may also be present 154: index = 5 155: end_index = data.length - 1 156: if (data[index]=="(") 157: index = 6 158: end_index = data.length - 2 159: end 160: self.inception=get_time(data[index]) 161: self.key_tag=data[index+1].to_i 162: self.signers_name=(data[index+2]) 163: # signature can include whitespace - include all text 164: # until we come to " )" at the end, and then gsub 165: # the white space out 166: buf="" 167: (index+3..end_index).each {|i| 168: if (comment_index = data[i].index(";")) 169: buf += data[i].slice(0, comment_index) 170: # @TODO@ We lose the comments here - we should really keep them for when we write back to string format? 171: break 172: else 173: buf += data[i] 174: end 175: } 176: buf.gsub!(/\n/, "") 177: buf.gsub!(/ /, "") 178: #self.signature=Base64.decode64(buf) 179: self.signature=buf.unpack("m*")[0] 180: end 181: end
# File lib/Dnsruby/resource/RRSIG.rb, line 220 220: def get_time(input) 221: return RRSIG.get_time(input) 222: end
# File lib/Dnsruby/resource/RRSIG.rb, line 90 90: def init_defaults 91: @algorithm=Algorithms.RSASHA1 92: @type_covered = Types::A 93: @original_ttl = 3600 94: @inception = Time.now.to_i 95: @expiration = Time.now.to_i 96: @key_tag = 0 97: @labels = 0 98: self.signers_name="." 99: @signature = "\0" 100: end
# File lib/Dnsruby/resource/RRSIG.rb, line 261 261: def sig_data 262: #RRSIG_RDATA is the wire format of the RRSIG RDATA fields 263: #with the Signer's Name field in canonical form and 264: #the Signature field excluded; 265: data = MessageEncoder.new { |msg| 266: msg.put_pack('ncc', @type_covered.to_i, @algorithm.to_i, @labels) 267: msg.put_pack("NNN", @original_ttl, @expiration, @inception) 268: msg.put_pack("n", @key_tag) 269: msg.put_name(@signers_name, true) 270: }.to_s 271: return data 272: end
# File lib/Dnsruby/resource/RRSIG.rb, line 125 125: def signers_name=(s) 126: begin 127: name = Name.create(s) 128: @signers_name = name 129: rescue ArgumentError => e 130: raise DecodeError.new(e) 131: end 132: end