-
Notifications
You must be signed in to change notification settings - Fork 78
/
EXAMPLES
109 lines (93 loc) · 4.39 KB
/
EXAMPLES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# This file shows how to do common tasks with Dnsruby :
require 'rubygems'
require 'dnsruby'
include Dnsruby
# Use the system configured nameservers to run a query
res = Resolver.new
ret = res.query("example.com") # Defaults to A record
a_recs = ret.answer.rrset("A")
# Use a defined nameserver to run an asynchronous query
# with no recursion
res = Resolver.new({:nameserver => ["a.iana-servers.net",
"b.iana-servers.net"]})
queue = Queue.new
m = Message.new("example.com", Types.NS)
m.header.rd = false
res.send_async(m, queue, 1)
# ... do some other stuff ...
id, reply, error = queue.pop
if (error)
print "Error : #{error}\n"
else
# See where the answer came from
print "Got response from : #{reply.answerfrom}, #{reply.answerip}\n"
end
# Use a Recursor to recursively query authoritative nameservers,
# starting from the root. Note that a cache of authoritative servers
# is built up for use by future queries by any Recursors.
rec = Recursor.new
ret = rec.query("uk-dnssec.nic.uk", "NS")
# Ask Dnsruby to send the query without using the cache.
m.do_caching = false
ret = res.send_message(m)
# Ask Dnsruby to send a Message without doing any pre- or post-processing
ret = res.send_plain_message(Message.new("example.com"))
# Send a TSIG signed dynamic update to a resolver
# and verify the response
res = Dnsruby::Resolver.new("ns0.validation-test-servers.nominet.org.uk")
res.dnssec = false
tsig = Dnsruby::RR.create({
:name => "rubytsig",
:type => "TSIG",
:ttl => 0,
:klass => "ANY",
:algorithm => "hmac-md5",
:fudge => 300,
:key => "8n6gugn4aJ7MazyNlMccGKH1WxD2B3UvN/O/RA6iBupO2/03u9CTa3Ewz3gBWTSBCH3crY4Kk+tigNdeJBAvrw==",
:error => 0
})
update = Dnsruby::Update.new("validation-test-servers.nominet.org.uk")
# ... add stuff to the update
update.absent("notthere.update.validation-test-servers.nominet.org.uk", 'TXT')
tsig.apply(update)
response = res.send_message(update)
print "TSIG response was verified? : #{response.verified?}\n"
#
# DNSSEC stuff
#
# Load the ISC DLV key and query some signed zones
dlv_key = RR.create("dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh")
Dnssec.add_dlv_key(dlv_key)
res = Recursor.new
ret = res.query("frobbit.se", "NS")
print "Security level for signed zone from DLV : #{ret.security_level}\n"
frobbit_servers = ret.answer.rrset("frobbit.se", Types.NS)
# and query for a zone which is not signed
r = Resolver.new
ret = r.query("ed.ac.uk")
print "Security level of unsigned zone : #{ret.security_level}\n"
res = Resolver.new
frobbit_servers.rrs.each {|s| print "Adding nameserver : #{s.nsdname}\n"; res.add_server(s.nsdname)}
# and some non-existent domains in signed ones
res.send_async(Message.new("notthere.frobbit.se"), queue, 2)
id, reply, error = queue.pop
print "Error returned from non-existent name in signed zone : #{error}, security level : #{reply.security_level}\n"
# Clear the keys and caches
Dnsruby::Dnssec.clear_trusted_keys
Dnsruby::Dnssec.clear_trust_anchors
Dnsruby::PacketSender.clear_caches
Dnsruby::Recursor.clear_caches
# Load a specific trust anchor and query some signed zones
trusted_key = Dnsruby::RR.create({:name => "uk-dnssec.nic.uk.",
:type => Dnsruby::Types.DNSKEY,
:flags => 257,
:protocol => 3,
:algorithm => 5,
:key=> "AQPJO6LjrCHhzSF9PIVV7YoQ8iE31FXvghx+14E+jsv4uWJR9jLrxMYm sFOGAKWhiis832ISbPTYtF8sxbNVEotgf9eePruAFPIg6ZixG4yMO9XG LXmcKTQ/cVudqkU00V7M0cUzsYrhc4gPH/NKfQJBC5dbBkbIXJkksPLv Fe8lReKYqocYP6Bng1eBTtkA+N+6mSXzCwSApbNysFnm6yfQwtKlr75p m+pd0/Um+uBkR4nJQGYNt0mPuw4QVBu1TfF5mQYIFoDYASLiDQpvNRN3 US0U5DEG9mARulKSSw448urHvOBwT9Gx5qF2NE4H9ySjOdftjpj62kjb Lmc8/v+z"
})
Dnssec.add_trust_anchor(trusted_key)
res = Dnsruby::Resolver.new("dnssec.nominet.org.uk")
r = res.query("aaa.bigzone.uk-dnssec.nic.uk", Dnsruby::Types.DNSKEY)
print "Security level of signed zone under manually install trusted key : #{r.security_level}\n"
# See if we are using a Recursor for DNSSEC queries
print "Using recursion to validate DNSSEC responses? : #{Dnssec.do_validation_with_recursor?}\n"