dnssec (dns_erlang v5.0.11)

View Source

The dnssec module exports functions used for generating NSEC/NSEC3 records, signing and verifying RRSIGs, and adding keytags to DNSKEY records.

For example, the sign_rr/6 function can be given a collection of resource records, the signer name, keytag, signing algorithm, private key, and a collection of options and it will return a list of RRSIG records. Supported signing algorithms include DSA, RSA (SHA1/SHA256/SHA512), ECDSA (P-256/P-384), Ed25519, and Ed448.

Summary

Types

dnskey()

DNSKEY resource record data.

ds()

DS (Delegation Signer) resource record data.

gen_nsec3_opts()

Options for gen_nsec3/2.

gen_nsec_opts()

Options for gen_nsec/4.

key()

Cryptographic key material for signing or verification.

keytag()

DNSKEY key tag (RFC 4034 Appendix B).

nsec3()

NSEC3 resource record data.

nsec3_hashalg()

NSEC3 hash algorithm identifier (currently only SHA-1).

nsec3_hashalg_fun()

Custom hash function for use with ih/4.

nsec3_iterations()

NSEC3 iteration count.

nsec3_salt()

NSEC3 salt value.

nsec()

NSEC resource record data.

rrsig()

RRSIG resource record data.

sigalg()

DNSSEC signing algorithm identifier.

sign_rr_opts()

Options for sign_rr/6 and sign_rrset/6.

verify_rrsig_opts()

Options for verify_rrsig/4.

Functions

add_keytag_to_cdnskey/1

Generates and appends a CDNSKEY records key tag.

add_keytag_to_dnskey/1

Generates and appends a DNS Key records key tag.

canonical_rrdata_form/1

Converts a resource record data record to DNSSEC canonical form.

gen_nsec3(RRs)

Equivalent to gen_nsec3(RRs, #{}).

gen_nsec3(RRs, Opts)

Generate NSEC3 records from a list of dns:rr/0.

gen_nsec(RR)

Generate NSEC records from a list of dns:rr/0.

gen_nsec(ZoneName, RR, TTL)

Equivalent to gen_nsec(ZoneName, RR, TTL, #{}).

gen_nsec(ZoneNameM, RR, TTL, Opts)

Generate NSEC records.

ih/4

NSEC3 iterative hash function.

sign_rr(RR, SignerName, KeyTag, Alg, Key)

Equivalent to sign_rr(RR, SignerName, KeyTag, Alg, Key, []).

sign_rr(RR, SignerName, KeyTag, Alg, Key, Opts)

Signs a list of dns:rr/0.

sign_rrset(RRSet, SignerName, KeyTag, Alg, Key)

Equivalent to sign_rrset(RRSet, SignerName, KeyTag, Alg, Key, []).

sign_rrset/6

Signs a list of dns:rr/0 of the same class and type.

verify_rrsig/4

Provides primitive verification of an RR set.

Types

dnskey()

-type dnskey() ::
          #dns_rrdata_dnskey{flags :: dns:uint16(),
                             protocol :: dns:uint8(),
                             alg :: dns:uint8(),
                             public_key :: iodata(),
                             keytag :: integer()}.

DNSKEY resource record data.

ds()

-type ds() ::
          #dns_rrdata_ds{keytag :: dns:uint16(),
                         alg :: dns:uint8(),
                         digest_type :: dns:uint8(),
                         digest :: binary()}.

DS (Delegation Signer) resource record data.

gen_nsec3_opts()

-type gen_nsec3_opts() :: gen_nsec_opts().

Options for gen_nsec3/2.

gen_nsec_opts()

-type gen_nsec_opts() :: #{base_types => [dns:type()]}.

Options for gen_nsec/4.

key()

-type key() :: [binary()] | binary().

Cryptographic key material for signing or verification.

keytag()

-type keytag() :: integer().

DNSKEY key tag (RFC 4034 Appendix B).

nsec3()

-type nsec3() ::
          #dns_rrdata_nsec3{hash_alg :: dns:uint8(),
                            opt_out :: boolean(),
                            iterations :: dns:uint16(),
                            salt :: binary(),
                            hash :: binary(),
                            types :: [non_neg_integer()]}.

NSEC3 resource record data.

nsec3_hashalg()

-type nsec3_hashalg() :: 1.

NSEC3 hash algorithm identifier (currently only SHA-1).

nsec3_hashalg_fun()

-type nsec3_hashalg_fun() :: fun((iodata()) -> binary()).

Custom hash function for use with ih/4.

nsec3_iterations()

-type nsec3_iterations() :: non_neg_integer().

NSEC3 iteration count.

nsec3_salt()

-type nsec3_salt() :: binary().

NSEC3 salt value.

nsec()

-type nsec() :: #dns_rrdata_nsec{next_dname :: dns:dname(), types :: [non_neg_integer()]}.

NSEC resource record data.

rrsig()

-type rrsig() ::
          #dns_rrdata_rrsig{type_covered :: dns:uint16(),
                            alg :: 3 | 5 | 6 | 7 | 8 | 10 | 13 | 14 | 15 | 16,
                            labels :: dns:uint8(),
                            original_ttl :: dns:uint32(),
                            expiration :: dns:uint32(),
                            inception :: dns:uint32(),
                            keytag :: dns:uint16(),
                            signers_name :: dns:dname(),
                            signature :: binary()}.

RRSIG resource record data.

sigalg()

-type sigalg() :: 3 | 6 | 5 | 7 | 8 | 10 | 13 | 14 | 15 | 16.

DNSSEC signing algorithm identifier.

Unlike dns:alg/0, this type is restricted to algorithms valid for zone signing.

sign_rr_opts()

-type sign_rr_opts() :: #{inception => dns:unix_time(), expiration => dns:unix_time()}.

Options for sign_rr/6 and sign_rrset/6.

verify_rrsig_opts()

-type verify_rrsig_opts() :: #{now => dns:unix_time()}.

Options for verify_rrsig/4.

Functions

add_keytag_to_cdnskey/1

-spec add_keytag_to_cdnskey(dns:rr()) -> dns:rr().

Generates and appends a CDNSKEY records key tag.

add_keytag_to_dnskey/1

-spec add_keytag_to_dnskey(dns:rr()) -> dns:rr().

Generates and appends a DNS Key records key tag.

canonical_rrdata_form/1

-spec canonical_rrdata_form(dns:rrdata()) -> dns:rrdata().

Converts a resource record data record to DNSSEC canonical form.

gen_nsec3(RRs)

-spec gen_nsec3([dns:rr()]) -> [dns:rr()].

Equivalent to gen_nsec3(RRs, #{}).

gen_nsec3(RRs, Opts)

-spec gen_nsec3([dns:rr()], gen_nsec3_opts()) -> [dns:rr()].

Generate NSEC3 records from a list of dns:rr/0.

The list must contain a SOA dns:rr/0 to source the zone name and TTL from as well as as an NSEC3Param dns:rr/0 to source the hash algorithm, iterations and salt from.

gen_nsec(RR)

-spec gen_nsec([dns:rr()]) -> [dns:rr()].

Generate NSEC records from a list of dns:rr/0.

The list must contain a SOA dns:rr/0 which is used to determine zone name and TTL.

gen_nsec(ZoneName, RR, TTL)

-spec gen_nsec(dns:dname(), [dns:rr()], dns:ttl()) -> [dns:rr()].

Equivalent to gen_nsec(ZoneName, RR, TTL, #{}).

gen_nsec(ZoneNameM, RR, TTL, Opts)

-spec gen_nsec(dns:dname(), [dns:rr()], dns:ttl(), gen_nsec_opts()) -> [dns:rr()].

Generate NSEC records.

ih/4

-spec ih(nsec3_hashalg() | nsec3_hashalg_fun(), nsec3_salt(), binary(), nsec3_iterations()) -> binary().

NSEC3 iterative hash function.

sign_rr(RR, SignerName, KeyTag, Alg, Key)

-spec sign_rr([dns:rr()], dns:dname(), keytag(), sigalg(), key()) -> [dns:rr()].

Equivalent to sign_rr(RR, SignerName, KeyTag, Alg, Key, []).

sign_rr(RR, SignerName, KeyTag, Alg, Key, Opts)

-spec sign_rr([dns:rr()], dns:dname(), keytag(), sigalg(), key(), sign_rr_opts()) -> [dns:rr()].

Signs a list of dns:rr/0.

sign_rrset(RRSet, SignerName, KeyTag, Alg, Key)

-spec sign_rrset([dns:rr(), ...], dns:dname(), keytag(), sigalg(), key()) -> dns:rr().

Equivalent to sign_rrset(RRSet, SignerName, KeyTag, Alg, Key, []).

sign_rrset/6

-spec sign_rrset([dns:rr(), ...], dns:dname(), keytag(), sigalg(), key(), sign_rr_opts()) -> dns:rr().

Signs a list of dns:rr/0 of the same class and type.

verify_rrsig/4

-spec verify_rrsig(dns:rr(), [dns:rr()], [dns:rr()], verify_rrsig_opts()) -> boolean().

Provides primitive verification of an RR set.