Signing Queries and Dynamic Updates with TSIG Programmatically

9.11.1 Problem

You want to use TSIG to sign a query or a dynamic update in Perl.

9.11.2 Solution

After you've used Net::DNS to create a query or an update to send, use the sign_tsig method to sign the query or update using that key. sign_tsig takes a key name and the base 64 encoding of the key's data as arguments. For example, to sign the update in the script in Section 9.10, you could replace this line of the script:

my $reply = $res->send($update);

With these lines:

$update->sign_tsig("update.key", "oyyvQvT0BTIcw7vvqvIJaQ==");

my $reply = $res->send($update);

You can also use TSIG to sign queries. Since the Net::DNS resolver's axfr method doesn't give you access to the query message, you must configure the resolver to sign all queries using the key before sending the AXFR query, rather than signing just the query. Here's a modified snippet of the script in Recipe Section 9.9 that shows one way to do that:

$tsig = Net::DNS::RR->new("tsig.key TSIG oyyvQvT0BTIcw7vvqvIJaQ==");
$res->tsig($tsig);
 
# Transfer the zone
my @zone = $res->axfr($ARGV[0]);

9.11.3 Discussion

Remember that the key's name and data must match in the script and on the name server that receives the query or update, and that the clocks on the sender of the message and on the name server that receives it must be synchronized within a few minutes of each other.

9.11.4 See Also

Section 7.10 for instructions on configuring a TSIG key, Section 7.11 for instructions on securing zone transfers with TSIG, and Section 3.11 for securing dynamic updates with update-policy.