RFC4034, section 2 DNSSEC uses public key cryptography to sign and authenticate DNS resource record sets (RRsets). The public keys are stored in DNSKEY resource records and are used in the DNSSEC authentication process described in [RFC4035]: A zone signs its authoritative RRsets by using a private key and stores the corresponding public key in a DNSKEY RR. A resolver can then use the public key to validate signatures covering the RRsets in the zone, and thus to authenticate them.
Key is revoked
Key is a zone key
Key is a secure entry point key
# File lib/Dnsruby/resource/DNSKEY.rb, line 71 71: def algorithm=(a) 72: if (a.instance_of?String) 73: if (a.to_i > 0) 74: a = a.to_i 75: end 76: end 77: begin 78: alg = Algorithms.new(a) 79: @algorithm = alg 80: rescue ArgumentError => e 81: raise DecodeError.new(e) 82: end 83: get_new_key_tag 84: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 348 348: def dsa_key 349: t = @key[0] 350: t = t.getbyte(0) if t.class == String 351: pgy_len = t * 8 + 64 352: pos = 1 353: q = RR::get_num(@key[pos, 20]) 354: pos += 20 355: p = RR::get_num(@key[pos, pgy_len]) 356: pos += pgy_len 357: g = RR::get_num(@key[pos, pgy_len]) 358: pos += pgy_len 359: y = RR::get_num(@key[pos, pgy_len]) 360: pos += pgy_len 361: @key_length = (pgy_len * 8) 362: 363: pkey = OpenSSL::PKey::DSA.new 364: pkey.p = p 365: pkey.q = q 366: pkey.g = g 367: pkey.pub_key = y 368: 369: pkey 370: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 125 125: def flags=(f) 126: # Only three values allowed - 127: # Zone Key flag (bit 7) 128: # Secure Entry Point flag (bit 15) 129: # Revoked bit (bit 8) - RFC 5011 130: if ((f & ~ZONE_KEY & ~SEP_KEY & ~REVOKED_KEY) > 0) 131: TheLog.info("DNSKEY: Only zone key, secure entry point and revoked flags allowed for DNSKEY" + 132: " (RFC4034 section 2.1.1) : #{f} entered as input") 133: end 134: 135: @flags = f 136: get_new_key_tag 137: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 165 165: def from_string(input) 166: if (input.length > 0) 167: @make_new_key_tag = false 168: data = input.split(" ") 169: self.flags=(data[0].to_i) 170: self.protocol=(data[1].to_i) 171: self.algorithm=(data[2]) 172: # key can include whitespace - include all text 173: # until we come to " )" at the end, and then gsub 174: # the white space out 175: # Also, brackets may or may not be present 176: # Not to mention comments! ";" 177: buf = "" 178: index = 3 179: end_index = data.length - 1 180: if (data[index]=="(") 181: end_index = data.length - 2 182: index = 4 183: end 184: (index..end_index).each {|i| 185: if (comment_index = data[i].index(";")) 186: buf += data[i].slice(0, comment_index) 187: # @TODO@ We lose the comments here - we should really keep them for when we write back to string format? 188: break 189: else 190: buf += data[i] 191: end 192: } 193: self.key=(buf) 194: @make_new_key_tag = true 195: get_new_key_tag 196: end 197: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 252 252: def generate_key_tag(rdata, algorithm) 253: tag=0 254: if (algorithm == Algorithms.RSAMD5) 255: #The key tag for algorithm 1 (RSA/MD5) is defined differently from the 256: #key tag for all other algorithms, for historical reasons. 257: d1 = rdata[rdata.length - 3] & 0xFF 258: d2 = rdata[rdata.length - 2] & 0xFF 259: tag = (d1 << 8) + d2 260: else 261: tag = 0 262: last = 0 263: 0.step(rdata.length - 1, 2) {|i| 264: last = i 265: d1 = rdata[i] 266: d2 = rdata[i + 1] || 0 # odd number of bytes possible 267: 268: d1 = d1.getbyte(0) if d1.class == String # Ruby 1.9 269: d2 = d2.getbyte(0) if d2.class == String # Ruby 1.9 270: 271: d1 = d1 & 0xFF 272: d2 = d2 & 0xFF 273: 274: tag += ((d1 << 8) + d2) 275: } 276: last+=2 277: if (last < rdata.length) 278: d1 = rdata[last] 279: 280: if (d1.class == String) # Ruby 1.9 281: d1 = d1.getbyte(0) 282: end 283: 284: d1 = d1 & 0xFF 285: tag += (d1 << 8) 286: end 287: tag += ((tag >> 16) & 0xFFFF) 288: end 289: tag=tag&0xFFFF 290: return tag 291: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 233 233: def get_new_key_tag 234: if (@make_new_key_tag) 235: rdata = MessageEncoder.new {|msg| 236: encode_rdata(msg) 237: }.to_s 238: tag = generate_key_tag(rdata, @algorithm) 239: @key_tag = tag 240: end 241: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 53 53: def init_defaults 54: @make_new_key_tag = false 55: self.protocol=3 56: self.flags=ZONE_KEY 57: @algorithm=Algorithms.RSASHA1 58: @public_key = nil 59: @key_tag = nil 60: @make_new_key_tag = true 61: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 293 293: def key=(key_text) 294: begin 295: key_text.gsub!(/\n/, "") 296: key_text.gsub!(/ /, "") 297: # @key=Base64.decode64(key_text) 298: @key=key_text.unpack("m*")[0] 299: public_key 300: get_new_key_tag 301: rescue Exception 302: raise ArgumentError.new("Key #{key_text} invalid") 303: end 304: end
Return the tag for this key
# File lib/Dnsruby/resource/DNSKEY.rb, line 244 244: def key_tag 245: if (!@key_tag) 246: @make_new_key_tag = true 247: get_new_key_tag 248: end 249: return @key_tag 250: end
Return the the key tag this key would have had before it was revoked If the key is not revoked, then the current key_tag will be returned
# File lib/Dnsruby/resource/DNSKEY.rb, line 224 224: def key_tag_pre_revoked 225: if (!revoked?) 226: return key_tag 227: end 228: new_key = clone 229: new_key.revoked = false 230: return new_key.key_tag 231: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 63 63: def protocol=(p) 64: if (p!=3) 65: raise DecodeError.new("DNSKEY protocol field set to #{p}, contrary to RFC4034 section 2.1.2") 66: else @protocol = p 67: end 68: get_new_key_tag 69: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 306 306: def public_key 307: if (!@public_key) 308: if [Algorithms.RSASHA1, 309: Algorithms.RSASHA256, 310: Algorithms.RSASHA512, 311: Algorithms.RSASHA1_NSEC3_SHA1].include?(@algorithm) 312: @public_key = rsa_key 313: elsif [Algorithms.DSA, 314: Algorithms.DSA_NSEC3_SHA1].include?(@algorithm) 315: @public_key = dsa_key 316: end 317: end 318: # @TODO@ Support other key encodings! 319: return @public_key 320: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 86 86: def revoked=(on) 87: if (on) 88: @flags |= REVOKED_KEY 89: else 90: @flags &= (~REVOKED_KEY) 91: end 92: get_new_key_tag 93: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 95 95: def revoked? 96: return ((@flags & REVOKED_KEY) > 0) 97: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 322 322: def rsa_key 323: exponentLength = @key[0] 324: if (exponentLength.class == String) 325: exponentLength = exponentLength.getbyte(0) # Ruby 1.9 326: end 327: pos = 1 328: if (exponentLength == 0) 329: key1 = @key[1] 330: if (key1.class == String) # Ruby 1.9 331: key1 = key1.getbyte(0) 332: end 333: exponentLength = (key1<<8) + key1 334: pos += 2 335: end 336: exponent = RR::get_num(@key[pos, exponentLength]) 337: pos += exponentLength 338: 339: modulus = RR::get_num(@key[pos, @key.length]) 340: @key_length = (@key.length - pos) * 8 341: 342: pkey = OpenSSL::PKey::RSA.new 343: pkey.e = exponent 344: pkey.n = modulus 345: return pkey 346: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 112 112: def sep_key=(on) 113: if (on) 114: @flags |= SEP_KEY 115: else 116: @flags &= (~SEP_KEY) 117: end 118: get_new_key_tag 119: end
# File lib/Dnsruby/resource/DNSKEY.rb, line 121 121: def sep_key? 122: return ((@flags & SEP_KEY) > 0) 123: end
Disabled; run with --debug to generate this.
Generated with the Darkfish Rdoc Generator 1.1.6.