"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/Net/DNS/RR/TSIG.pm" between
Net-DNS-1.23.tar.gz and Net-DNS-1.23_01.tar.gz

About: Net::DNS is a DNS resolver implemented in Perl. Development version.

TSIG.pm  (Net-DNS-1.23):TSIG.pm  (Net-DNS-1.23_01)
package Net::DNS::RR::TSIG; package Net::DNS::RR::TSIG;
# #
# $Id: TSIG.pm 1774 2020-03-18 07:49:22Z willem $ # $Id: TSIG.pm 1779 2020-05-11 09:11:17Z willem $
# #
our $VERSION = (qw$LastChangedRevision: 1774 $)[1]; our $VERSION = (qw$LastChangedRevision: 1779 $)[1];
use strict; use strict;
use warnings; use warnings;
use base qw(Net::DNS::RR); use base qw(Net::DNS::RR);
=head1 NAME =head1 NAME
Net::DNS::RR::TSIG - DNS TSIG resource record Net::DNS::RR::TSIG - DNS TSIG resource record
=cut =cut
skipping to change at line 342 skipping to change at line 342
} elsif ( ref($karg) eq 'Net::DNS::RR::KEY' ) { } elsif ( ref($karg) eq 'Net::DNS::RR::KEY' ) {
return new Net::DNS::RR( return new Net::DNS::RR(
name => $karg->name, name => $karg->name,
type => 'TSIG', type => 'TSIG',
algorithm => $karg->algorithm, algorithm => $karg->algorithm,
key => $karg->key, key => $karg->key,
@_ @_
); );
} }
croak "Usage: create $class(keyfile)\n\tcreate $class(keyname, key)"; croak "Usage: create $class( \$keyfile, \@options )";
} elsif ( scalar(@_) == 1 ) { } elsif ( scalar(@_) == 1 ) {
my $key = shift; # ( keyname, key $class->_deprecate('create( $keyname, $key )'); # ( keyname, key
) )
$class->_deprecate('create( $key_name, $key )');
return new Net::DNS::RR( return new Net::DNS::RR(
name => $karg, name => $karg,
type => 'TSIG', type => 'TSIG',
key => $key key => shift
); );
} elsif ( $karg =~ /private$/ ) { # ( keyfile, opti } else {
ons ) require File::Spec; # ( keyfile, opti
require File::Spec; ons )
require Net::DNS::ZoneFile; require Net::DNS::ZoneFile;
my $keyfile = new Net::DNS::ZoneFile($karg); my $keyfile = new Net::DNS::ZoneFile($karg);
my ( $alg, $key, $junk ); my ( $vol, $dir, $filename ) = File::Spec->splitpath( $keyfile->n
while ( $keyfile->_getline ) { ame );
( $junk, $alg ) = split if /Algorithm:/;
( $junk, $key ) = split if /Key:/; $filename =~ m/^K([^+]+)\+\d+\+\d+\./; # BIND dnssec-key
gen
my $key = $1;
if ( $key && $filename =~ /\.key$/ ) {
my $keyrr = $keyfile->read; # BIND dnssec pub
lic key
croak 'key file incompatible with TSIG' if $keyrr->type n
e 'KEY';
return new Net::DNS::RR(
name => $keyrr->name,
type => 'TSIG',
algorithm => $keyrr->algorithm,
key => $keyrr->key,
@_
);
} }
my ( $vol, $dir, $file ) = File::Spec->splitpath( $keyfile->name my ( $algorithm, $secret, $junk );
); while ( $keyfile->_getline ) {
croak 'misnamed private key' unless $file =~ /^K([^+]+)+.+private $key = $1 if /^key "([^"]+)"/; # BIND tsig key
$/; $secret = $1 if /secret "([^"]+)";/;
my $kname = $1; $algorithm = $1 if /algorithm ([^;]+);/;
return new Net::DNS::RR(
name => $kname, ( $junk, $secret ) = split if /^Key:/; # BIND
type => 'TSIG', dnssec private key
algorithm => $alg, ( $junk, $algorithm ) = split if /^Algorithm:/;
key => $key, }
@_
);
} else { # ( keyfile, opti
ons )
require Net::DNS::ZoneFile;
my $keyrr = new Net::DNS::ZoneFile($karg)->read;
croak 'key file incompatible with TSIG' unless $keyrr->type eq 'K
EY';
return new Net::DNS::RR( return new Net::DNS::RR(
name => $keyrr->name, name => $key,
type => 'TSIG', type => 'TSIG',
algorithm => $keyrr->algorithm, algorithm => $algorithm,
key => $keyrr->key, key => $secret,
@_ @_
); );
} }
} }
sub verify { sub verify {
my $self = shift; my $self = shift;
my $data = shift; my $data = shift;
if ( scalar @_ ) { if ( scalar @_ ) {
skipping to change at line 632 skipping to change at line 637
The message ID from the header of the original packet. The message ID from the header of the original packet.
=head2 error =head2 error
=head2 vrfyerrstr =head2 vrfyerrstr
$rcode = $tsig->error; $rcode = $tsig->error;
Returns the RCODE covering TSIG processing. Common values are Returns the RCODE covering TSIG processing. Common values are
NOERROR, BADSIG, BADKEY, and BADTIME. See RFC 2845 for details. NOERROR, BADSIG, BADKEY, and BADTIME. See RFC2845 for details.
=head2 other =head2 other
$other = $tsig->other; $other = $tsig->other;
This field should be empty unless the error is BADTIME, in which This field should be empty unless the error is BADTIME, in which
case it will contain the server time as the number of seconds since case it will contain the server time as the number of seconds since
1 Jan 1970 00:00:00 UTC. 1 Jan 1970 00:00:00 UTC.
=head2 sig_function =head2 sig_function
skipping to change at line 674 skipping to change at line 679
=head2 create =head2 create
$tsig = create Net::DNS::RR::TSIG( $keyfile ); $tsig = create Net::DNS::RR::TSIG( $keyfile );
$tsig = create Net::DNS::RR::TSIG( $keyfile, $tsig = create Net::DNS::RR::TSIG( $keyfile,
fudge => 300 fudge => 300
); );
Returns a TSIG RR constructed using the parameters in the specified Returns a TSIG RR constructed using the parameters in the specified
key file, which is assumed to have been generated by dnssec-keygen. key file, which is assumed to have been generated by tsig-keygen.
=head2 verify =head2 verify
$verify = $tsig->verify( $data ); $verify = $tsig->verify( $data );
$verify = $tsig->verify( $packet ); $verify = $tsig->verify( $packet );
$verify = $tsig->verify( $reply, $query ); $verify = $tsig->verify( $reply, $query );
$verify = $tsig->verify( $packet, $prior ); $verify = $tsig->verify( $packet, $prior );
The boolean verify method will return true if the hash over the The boolean verify method will return true if the hash over the
packet data conforms to the data in the TSIG itself packet data conforms to the data in the TSIG itself
=head1 TSIG Keys =head1 TSIG Keys
TSIG keys are symmetric keys generated using dnssec-keygen: The TSIG authentication mechanism employs shared secret keys
to establish a trust relationship between two entities.
$ dnssec-keygen -a HMAC-SHA1 -b 160 -n HOST <keyname> It should be noted that it is possible for more than one key
to be in use simultaneously between any such pair of entities.
The key will be stored as a private and public keyfile pair TSIG keys are generated using the tsig-keygen utility
K<keyname>+161+<keyid>.private and K<keyname>+161+<keyid>.key distributed with ISC BIND:
where tsig-keygen -a HMAC-SHA256 host1-host2.example.
<keyname> is the DNS name of the key.
<keyid> is the (generated) numerical identifier used to Other algorithms may be substituted for HMAC-SHA256 in the above example.
distinguish this key.
Other algorithms may be substituted for HMAC-SHA1 in the above example. These keys must be protected in a manner similar to private keys,
lest a third party masquerade as one of the intended parties
It is recommended that the keyname be globally unique and incorporate by forging the message authentication code (MAC).
the fully qualified domain names of the resolver and nameserver in
that order. It should be possible for more than one key to be in use
simultaneously between any such pair of hosts.
Although the formats differ, the private and public keys are identical
and both should be stored and handled as secret data.
=head1 Configuring BIND Nameserver =head1 Configuring BIND Nameserver
The following lines must be added to the /etc/named.conf file: The generated key must be added to the /etc/named.conf configuration
or a separate file introduced by the $INCLUDE directive:
key <keyname> { key "host1-host2.example. {
algorithm HMAC-SHA1; algorithm hmac-sha256;
secret "<keydata>"; secret "Secret+known+only+by+participating+entities=";
}; };
<keyname> is the name of the key chosen when the key was generated.
<keydata> is the key string extracted from the generated key file.
=head1 ACKNOWLEDGMENT =head1 ACKNOWLEDGMENT
Most of the code in the Net::DNS::RR::TSIG module was contributed Most of the code in the Net::DNS::RR::TSIG module was contributed
by Chris Turbeville. by Chris Turbeville.
Support for external signing functions was added by Andrew Tridgell. Support for external signing functions was added by Andrew Tridgell.
TSIG verification, BIND keyfile handling and support for HMAC-SHA1, TSIG verification, BIND keyfile handling and support for HMAC-SHA1,
HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512 functions was HMAC-SHA224, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512 functions was
added by Dick Franks. added by Dick Franks.
skipping to change at line 749 skipping to change at line 745
A 32-bit representation of time is used, contrary to RFC2845 which A 32-bit representation of time is used, contrary to RFC2845 which
demands 48 bits. This design decision will need to be reviewed demands 48 bits. This design decision will need to be reviewed
before the code stops working on 7 February 2106. before the code stops working on 7 February 2106.
=head1 COPYRIGHT =head1 COPYRIGHT
Copyright (c)2000,2001 Michael Fuhr. Copyright (c)2000,2001 Michael Fuhr.
Portions Copyright (c)2002,2003 Chris Reinhardt. Portions Copyright (c)2002,2003 Chris Reinhardt.
Portions Copyright (c)2013 Dick Franks. Portions Copyright (c)2013,2020 Dick Franks.
All rights reserved. All rights reserved.
Package template (c)2009,2012 O.M.Kolkman and R.W.Franks. Package template (c)2009,2012 O.M.Kolkman and R.W.Franks.
=head1 LICENSE =head1 LICENSE
Permission to use, copy, modify, and distribute this software and its Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted, provided documentation for any purpose and without fee is hereby granted, provided
that the above copyright notice appear in all copies and that both that that the above copyright notice appear in all copies and that both that
 End of changes. 23 change blocks. 
63 lines changed or deleted 60 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)