RFC4034, section 4 The DS Resource Record refers to a DNSKEY RR and is used in the DNS DNSKEY authentication process. A DS RR refers to a DNSKEY RR by storing the key tag, algorithm number, and a digest of the DNSKEY RR. Note that while the digest should be sufficient to identify the public key, storing the key tag and key algorithm helps make the identification process more efficient. By authenticating the DS record, a resolver can authenticate the DNSKEY RR to which the DS record points. The key authentication process is described in [RFC4035].
# File lib/Dnsruby/resource/DS.rb, line 149 149: def DS.from_key(key, digest_type) 150: ## The key must not be a NULL key. 151: # if ((key.flags & 0xc000 ) == 0xc000 ) 152: # puts "\nCreating a DS record for a NULL key is illegal" 153: # return 154: # end 155: # 156: # # Bit 0 must not be set. 157: # if (key.flags & 0x8000) 158: # puts "\nCreating a DS record for a key with flag bit 0 set " + 159: # "to 0 is illegal" 160: # return 161: # end 162: # 163: # Bit 6 must be set to 0 bit 7 must be set to 1 164: if (( key.flags & 0x300) != 0x100) 165: puts "\nCreating a DS record for a key with flags 6 and 7 not set "+ 166: "0 and 1 respectively is illegal" 167: return 168: end 169: # 170: # 171: # if (key.protocol != 3 ) 172: # puts "\nCreating a DS record for a non DNSSEC (protocol=3) " + 173: # "key is illegal" 174: # return 175: # end 176: # 177: digest_type = get_digest_type(digest_type) 178: # Create a new DS record from the specified key 179: ds = RR.create(:name => key.name, :type => "DS", :ttl => key.ttl, 180: :key_tag => key.key_tag, 181: :digest_type => digest_type, :algorithm => key.algorithm) 182: 183: ds.digestbin = ds.digest_key(key, digest_type) 184: ds.digest = ds.digestbin.unpack("H*")[0] 185: return ds 186: end
# File lib/Dnsruby/resource/DS.rb, line 79 79: def DS.get_digest_type(d) 80: if (d.instance_of?String) 81: if (d.length == 1) 82: d = d.to_i 83: end 84: end 85: begin 86: digest = DigestTypes.new(d) 87: return digest 88: rescue ArgumentError => e 89: raise DecodeError.new(e) 90: end 91: end
# File lib/Dnsruby/resource/DS.rb, line 93 93: def algorithm=(a) 94: if (a.instance_of?String) 95: if (a.length < 3) 96: a = a.to_i 97: end 98: end 99: begin 100: alg = Algorithms.new(a) 101: @algorithm = alg 102: rescue ArgumentError => e 103: raise DecodeError.new(e) 104: end 105: end
Check if the key’s digest is the same as that stored in the DS record
# File lib/Dnsruby/resource/DS.rb, line 133 133: def check_key(key) 134: if ((key.key_tag == @key_tag) && (key.algorithm == @algorithm)) 135: 136: digestbin = digest_key(key) 137: if (@digestbin == digestbin) 138: if (!key.zone_key?) 139: else 140: return true 141: end 142: else 143: end 144: end 145: return false 146: end
Return the digest of the specified DNSKEY RR
# File lib/Dnsruby/resource/DS.rb, line 108 108: def digest_key(*args) # key, digest_type) 109: digest_type = @digest_type 110: key = args[0] 111: if (args.length == 2) 112: digest_type = args[1] 113: end 114: 115: 116: data = MessageEncoder.new {|msg| 117: msg.put_name(key.name, true) 118: key.encode_rdata(msg, true) 119: }.to_s 120: 121: 122: if (digest_type.code == 1) 123: digestbin = OpenSSL::Digest::SHA1.digest(data) 124: return digestbin 125: elsif (digest_type.code == 2) 126: digestbin = Digest::SHA256.digest(data) 127: return digestbin 128: end 129: 130: end
# File lib/Dnsruby/resource/DS.rb, line 74 74: def digest_type=(d) 75: dig = DS.get_digest_type(d) 76: @digest_type = dig 77: end
# File lib/Dnsruby/resource/DS.rb, line 197 197: def from_string(input) 198: if (input.length > 0) 199: data = input.split(" ") 200: self.key_tag=(data[0].to_i) 201: self.algorithm=(data[1]) 202: self.digest_type=(data[2]) 203: 204: buf = "" 205: index = 3 206: end_index = data.length - 1 207: if (data[index]=="(") 208: end_index = data.length - 2 209: index = 4 210: end 211: (index..end_index).each {|i| 212: if (comment_index = data[i].index(";")) 213: buf += data[i].slice(0, comment_index) 214: # @TODO@ We lose the comments here - we should really keep them for when we write back to string format? 215: break 216: else 217: buf += data[i] 218: end 219: } 220: # self.digest=Base64.decode64(buf) 221: buf.gsub!(/\n/, "") 222: buf.gsub!(/ /, "") 223: # self.digest=buf.unpack("m*")[0] 224: self.digest=buf 225: self.digestbin = [buf].pack("H*") 226: end 227: end
Disabled; run with --debug to generate this.
Generated with the Darkfish Rdoc Generator 1.1.6.