dnssec (dns_erlang v4.2.0)
View SourceThe dnssec module exports functions used for generating NSEC responses,
signing and verifying RRSIGs, and adding keytags to DNSKEY records.
For example, the sign_rr/6 function can be given a collection of resource records,
the signer name, keytag, signing algorithm, private key, and a collection of options
and it will return a list of RRSIG records. Currently only DSA and RSA algorithms are
supported for signing RRSETs.
Summary
Functions
Generates and appends a DNS Key records key tag.
Converts a resource record data record to DNSSEC canonical form.
Equivalent to gen_nsec3(RRs, #{}).
Generate NSEC3 records from a list of dns:rr/0.
Generate NSEC records from a list of dns:rr/0.
Equivalent to gen_nsec(ZoneName, RR, TTL, #{}).
Generate NSEC records.
NSEC3 iterative hash function
Equivalent to sign_rr(RR, SignerName, KeyTag, Alg, Key, []).
Signs a list of dns:rr/0.
Equivalent to sign_rrset(RRSet, SignerName, KeyTag, Alg, Key, []).
Signs a list of dns:rr/0 of the same class and type.
Provides primitive verification of an RR set.
Types
-type gen_nsec3_opts() :: gen_nsec_opts().
-type gen_nsec_opts() :: #{base_types => [dns:type()]}.
-type key() :: [binary()].
-type keytag() :: integer().
-type nsec3_hashalg() :: 1.
-type nsec3_iterations() :: non_neg_integer().
-type nsec3_salt() :: binary().
-type sigalg() :: 3 | 6 | 5 | 7 | 8 | 10.
-type sign_rr_opts() :: #{inception => dns:unix_time(), expiration => dns:unix_time()}.
-type verify_rrsig_opts() :: #{now => dns:unix_time()}.
Functions
Generates and appends a DNS Key records key tag.
-spec canonical_rrdata_form(dns:rrdata()) -> dns:rrdata().
Converts a resource record data record to DNSSEC canonical form.
Equivalent to gen_nsec3(RRs, #{}).
-spec gen_nsec3([dns:rr()], gen_nsec3_opts()) -> [dns:rr()].
Generate NSEC3 records from a list of dns:rr/0.
The list must contain a SOA dns:rr/0 to source the zone name and
TTL from as well as as an NSEC3Param dns:rr/0 to source the
hash algorithm, iterations and salt from.
Generate NSEC records from a list of dns:rr/0.
The list must contain a SOA dns:rr/0 which is used to determine zone name and TTL.
Equivalent to gen_nsec(ZoneName, RR, TTL, #{}).
-spec gen_nsec(dns:dname(), [dns:rr()], dns:ttl(), gen_nsec_opts()) -> [dns:rr()].
Generate NSEC records.
-spec ih(nsec3_hashalg() | nsec3_hashalg_fun(), nsec3_salt(), binary(), nsec3_iterations()) -> binary().
NSEC3 iterative hash function
Equivalent to sign_rr(RR, SignerName, KeyTag, Alg, Key, []).
Signs a list of dns:rr/0.
Equivalent to sign_rrset(RRSet, SignerName, KeyTag, Alg, Key, []).
-spec sign_rrset([dns:rr(), ...], dns:dname(), keytag(), sigalg(), key(), sign_rr_opts()) -> dns:rr().
Signs a list of dns:rr/0 of the same class and type.
-spec verify_rrsig(dns:rr(), [dns:rr()], [dns:rr()], verify_rrsig_opts()) -> boolean().
Provides primitive verification of an RR set.