# This file shows how to do common tasks with Dnsruby :
require ‘rubygems’ require ‘dnsruby’ include Dnsruby
# Use the system configured nameservers to run a query res = Resolver.new ret = res.query(“example.com”) # Defaults to A record a_recs = ret.answer.rrset(“A”)
# Use a defined nameserver to run an asynchronous query # with no recursion res = Resolver.new(=> [“a.iana-servers.net”,
"b.iana-servers.net"])
queue = Queue.new m = Message.new(“example.com”, Types.NS) m.header.rd = false res.send_async(m, queue, 1) # … do some other stuff … id, reply, error = queue.pop if (error)
print "Error : #error\n"
else
# See where the answer came from
print "Got response from : #replyreply.answerfrom, #replyreply.answerip\n"
end
# Use a Recursor to recursively query authoritative nameservers, # starting from the root. Note that a cache of authoritative servers # is built up for use by future queries by any Recursors. rec = Recursor.new ret = rec.query(“uk-dnssec.nic.uk”, “NS”)
# Ask Dnsruby to send the query without using the cache. m.do_caching = false ret = res.send_message(m)
# Ask Dnsruby to send a Message without doing any pre- or post-processing ret = res.send_plain_message(Message.new(“example.com”))
# Send a TSIG signed dynamic update to a resolver # and verify the response res = Dnsruby::Resolver.new(“ns0.validation-test-servers.nominet.org.uk”) res.dnssec = false tsig = Dnsruby::RR.create({
:name => "rubytsig",
:type => "TSIG",
:ttl => 0,
:klass => "ANY",
:algorithm => "hmac-md5",
:fudge => 300,
:key => "8n6gugn4aJ7MazyNlMccGKH1WxD2B3UvN/O/RA6iBupO2/03u9CTa3Ewz3gBWTSBCH3crY4Kk+tigNdeJBAvrw==",
:error => 0
})
update = Dnsruby::Update.new(“validation-test-servers.nominet.org.uk”) # … add stuff to the update update.absent(“notthere.update.validation-test-servers.nominet.org.uk”, ‘TXT’) tsig.apply(update) response = res.send_message(update) print “TSIG response was verified? : #{response.verified?}n”
# # DNSSEC stuff #
# Load the ISC DLV key and query some signed zones dlv_key = RR.create(“dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh”) Dnssec.add_dlv_key(dlv_key) res = Recursor.new ret = res.query(“frobbit.se”, “NS”) print “Security level for signed zone from DLV : #{ret.security_level}n” frobbit_servers = ret.answer.rrset(“frobbit.se”, Types.NS)
# and query for a zone which is not signed r = Resolver.new ret = r.query(“ed.ac.uk”) print “Security level of unsigned zone : #{ret.security_level}n”
res = Resolver.new frobbit_servers.rrs.each {|s| print “Adding nameserver : #{s.nsdname}n”; res.add_server(s.nsdname)}
# and some non-existent domains in signed ones res.send_async(Message.new(“notthere.frobbit.se”), queue, 2) id, reply, error = queue.pop print “Error returned from non-existent name in signed zone : #{error}, security level : #{reply.security_level}n”
# Clear the keys and caches Dnsruby::Dnssec.clear_trusted_keys Dnsruby::Dnssec.clear_trust_anchors Dnsruby::PacketSender.clear_caches Dnsruby::Recursor.clear_caches
# Load a specific trust anchor and query some signed zones trusted_key = Dnsruby::RR.create({:name => “uk-dnssec.nic.uk.”,
:type => Dnsruby::Types.DNSKEY,
:flags => 257,
:protocol => 3,
:algorithm => 5,
:key=> "AQPJO6LjrCHhzSF9PIVV7YoQ8iE31FXvghx+14E+jsv4uWJR9jLrxMYm sFOGAKWhiis832ISbPTYtF8sxbNVEotgf9eePruAFPIg6ZixG4yMO9XG LXmcKTQ/cVudqkU00V7M0cUzsYrhc4gPH/NKfQJBC5dbBkbIXJkksPLv Fe8lReKYqocYP6Bng1eBTtkA+N+6mSXzCwSApbNysFnm6yfQwtKlr75p m+pd0/Um+uBkR4nJQGYNt0mPuw4QVBu1TfF5mQYIFoDYASLiDQpvNRN3 US0U5DEG9mARulKSSw448urHvOBwT9Gx5qF2NE4H9ySjOdftjpj62kjb Lmc8/v+z"
})
Dnssec.add_trust_anchor(trusted_key) res = Dnsruby::Resolver.new(“dnssec.nominet.org.uk”) r = res.query(“aaa.bigzone.uk-dnssec.nic.uk”, Dnsruby::Types.DNSKEY) print “Security level of signed zone under manually install trusted key : #{r.security_level}n”
# See if we are using a Recursor for DNSSEC queries print “Using recursion to validate DNSSEC responses? : #{Dnssec.do_validation_with_recursor?}n”