Net::DNS::SEC - DNSSEC extensions to Net::DNS
=============================================
IMPORTANT UPGRADE NOTE.
Please always read the Changes file. It is accessible
through: http://search.cpan.org/src/OLAF/Net-DNS-SEC/Changes
1. GENERAL INFO.
This module implements DNS Resource Record types that are relevant
for DNSSEC operations. This package implements RFC4034
"Resource Records for the DNS Security Extensions" and RFC2931 "DNS
Request and Transaction Signatures ( SIG(0)s )"
RFC 3225 (Indicating Resolver Support of DNSSEC) support has been
is available Net::DNS.
The extensions provide the following additional features on top of
the Net::DNS package (http://www.net-dns.org/).
- DS, RRSIG, DNSKEY and NSEC records. These are all implemented as RR
objects. The cryptography has been implemented using
Crypt::OpenSSL::DSA, Crypt::OpenSSL::RSA and related modules.
The reason for not making these RRs a part of the regular Net::DNS
distribution is that they rely on crypto modules that do not easily
port.
The DNSSEC protocol is a moving target. Follow the IETF DNSEXT working
group if you are interested in the protocol developments. We try to
keep the code in sync with the development.
Also see the 'pod' documentation in:
Net::DNS::RR::DNSKEY
Net::DNS::RR::RRSIG
Net::DNS::SEC::Private
Net::DNS::RR::NSEC
Net::DNS::RR::DS
and for the use of SIG0 see:
Net::DNS::Packet (sign_sig0)
Net::DNS::RR::SIG
Net::DNS::SEC::Private
Net::DNS::RR::KEY
On top of the RR classes defined above we also provide a class for
handling keysets. Keysets are administrative files used by the BIND
tools for keymaintenance tasks. Net::DNS::Keyset provides an abstract
interface for doing fun things with them.
2. Dependencies
This package relies on Net-DNS version 0.27 or higher (also see CHANGES).
since that contains a number of place holders for
Net::DNS::SEC functionality.
Among other straightforward routines you will need to have
Crypt::OpenSSL::DSA and Crypt::OpenSSL::RSA installed.
The package was initially developed on FreeBSD 4.5 with perl5.6.1,
as of version 0.11 development and testing where done on
MacOS 10.2.6 with perl, v5.8.0 built for darwin.
3. Install
Use CPAN.
perl -MCPAN -e shell;
cpan> install Net::DNS::SEC
Alternatively install this package manually:
tar -xvzf Net-DNS-SEC-??.tar.gz
cd Net-DNS-SEC-??.tar.gz
perl Makefile.PL
make
make test
make install
'perl Makefile.PL' will test if all dependencies are in place.
'make test' will do some tests that should all succeed once all
dependencies are satisfied. Please report failures during the test
phase.
4. Maintenance
Please use the CPAN request tracker if you find bugs in the
extensions or have DNSSEC feature request. The request tracker is
available through:
https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Net-DNS-SEC
Net::DNS contains a number of hooks for Net::DNS::SEC in the
Net::DNS package. If you have problems with Net::DNS in general see:
http://www.net-dns.org/
A snapshot of the development code is available through subversion:
http://www.net-dns.org/svn/net-dns-sec/trunk
Note that the code on the trunk may not be functional.
5. Staying up to date.
Announcements about Net::DNS::SEC will be done on
http://www.net-dns.net/blog/. An RSS feed is available.
6. Demos
demo/getkeyset.pl - is a small demonstration program that will get
fetch the keyset for a specified domain, stores
them and prints out the DS RRs to STD out.
demo/make-signed-keyset - A script contributed by Wes Griffin creates
a self-signed keyset from a BIND public key file
specified on the command line.
demo/key2ds - reads the key data from STDIN and print the
corresponding DS record on STDOUT. Contributed by
Miek Gieben
7. History
The modules in this package have somewhat of a history as a set of
patches to the original Net::DNS package.
Version 0.02 is the first distribution of the DNSSEC security
for CPAN. See the Changes file for more information.
8. Acknowledgements
Thanks to the numerous folk that took an interest during
development. People that contributed to bug fixes should be
acknowledged in the Changes file. If I forgot to mention you there
it is not out of bad intention.
Thanks to Chris Reinardt for putting the hooks in Net::DNS and suggesting
some improvements to the package.
Thanks Ian Robertson and T.J. Mather for their support with the
Crypt::OpenSSL::[RSA|DSA] modules.
9. Author information
Olaf M. Kolkman, RIPE NCC.
support: olaf@net-dns.org
10. COPYRIGHT
Copyright Notice and Disclaimer
Copyright (c) 2001-2005 RIPE NCC. Author Olaf M. Kolkman
<net-dns-sec@ripe.net>
All Rights Reserved
Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of the author not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission.
THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING
ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO EVENT SHALL
AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Based on, and contains, code by Copyright (c) 1997-2001 Michael Fuhr.
------------------------------------------------------------------------------
$Id: README 359 2005-06-06 13:54:18Z olaf $