You want to use TSIG to sign a query or a dynamic update in Perl.
After you've used Net::DNS to create a query or an update to send, use the sign_tsig method to sign the query or update using that key. sign_tsig takes a key name and the base 64 encoding of the key's data as arguments. For example, to sign the update in the script in Section 9.10, you could replace this line of the script:
my $reply = $res->send($update);
With these lines:
$update->sign_tsig("update.key", "oyyvQvT0BTIcw7vvqvIJaQ=="); my $reply = $res->send($update);
You can also use TSIG to sign queries. Since the Net::DNS resolver's axfr method doesn't give you access to the query message, you must configure the resolver to sign all queries using the key before sending the AXFR query, rather than signing just the query. Here's a modified snippet of the script in Recipe Section 9.9 that shows one way to do that:
$tsig = Net::DNS::RR->new("tsig.key TSIG oyyvQvT0BTIcw7vvqvIJaQ=="); $res->tsig($tsig); # Transfer the zone my @zone = $res->axfr($ARGV);
Remember that the key's name and data must match in the script and on the name server that receives the query or update, and that the clocks on the sender of the message and on the name server that receives it must be synchronized within a few minutes of each other.
9.11.4 See Also
Section 7.10 for instructions on configuring a TSIG key, Section 7.11 for instructions on securing zone transfers with TSIG, and Section 3.11 for securing dynamic updates with update-policy.
BIND Name Server Configuration
BIND Name Server Operations
Delegation and Registration
Interoperability and Upgrading
Resolvers and Programming
Logging and Troubleshooting