Infoblox::DNS::Record::DS - DS Record object.
The DS key record is a part of the DNS security extension records. It is used to authorize the DNSKEY records of the child zone and thus to establish the DNSSEC chain of trust.
The DS resource record is defined in RFC 4034.
The DS resource records are automatically generated upon the signing of the child zone of an authoritative zone residing on the appliance. You can also upload the external DS records via Infoblox::Session->import_data(). It is not possible to add, remove or modify automatically generated DS records. However, the records imported with Infoblox::Session->import_data() method can be deleted.
The Infoblox::DNS::Record::DS object is a read-only object and does not require manual construction.
This section describes all the methods in an Infoblox::Session that can be applied to an DS Record object.
Use this method to retrieve the existing objects from an Infoblox appliance. See Infoblox::Session->get() for parameters and return values.
Apply the following attributes to get the DS Record object(s):
algorithm - Optional. The encryption algorithm of the corresponding DNSKEY record.
The allowed values are '1','3','5','6','7','RSAMD5','RSASHA1','DSA','NSEC3RSASHA1','NSEC3DSA','RSASHA256','RSASHA512','NSEC3RSASHA256' and 'NSEC3RSASHA512'.
digest - Optional. The digest of the DNSKEY RR.
digest_type - Optional. Identifies the algorithm used to construct the digest. Allowed values are 'SHA1', 'SHA256', 1, 2.
key_tag - Optional. Key-tag to identify the public key.
name - Optional. FQDN of the DS record.
ttl - Optional. TTL value of the record.
view - Optional. The DNS view in which the record is located. By default, all DNS views are searched. But if you omit this attribute and specify a zone, the appliance searches the 'default' view only.
zone - Optional. A zone name in FQDN format.
# get all the DS records for the zone 'domain.com' in the default DNS view my @retrieved_objs = $session->get( object => "Infoblox::DNS::Record::DS", name => "domain.com", view => "default" );
# get all the DS records in the "domain.com" zone of the default DNS view # with digest type "SHA1" and TTL of 1 day: my @retrieved_objs = $session->get( object => "Infoblox::DNS::Record::DS", name => "domain.com", digest_type => "SHA1", ttl => 86400, view => "default" );
Use this method to submit an object for removal from the Infoblox appliance. See Infoblox::Session->remove() for parameters and return values.
To remove a specific object, first use get() or search() to retrieve the object, and then submit it for removal.
# Get the objects with the same name my @retrieved_objs = $session->get( object => "Infoblox::DNS::Record::DS", name => "domain.com", view => "default" ); # Find the desired object from the retrieved list. my $desired_ds = $retrieved_objs[0]; # Submit for removal my $response = $session->remove( $desired_ds );
Use this method to retrieve the existing objects from an Infoblox appliance. See Infoblox::Session->search() for parameters and return values.
Apply the following attributes to search the DS Record object(s):
algorithm - Optional. The encryption algorithm of the corresponding DNSKEY record.
The allowed values are '1','3','5','6','7','RSAMD5','RSASHA1','DSA','NSEC3RSASHA1','NSEC3DSA','RSASHA256','RSASHA512','NSEC3RSASHA256' and 'NSEC3RSASHA512'.
digest - Optional. Digest of the DNSKEY RR (regular expression).
digest_type - Optional. Identifies the algorithm used to construct the digest. Allowed values are 'SHA1', 'SHA256', 1, 2.
key_tag - Optional. Key-tag to identify the public key.
name - Optional. FQDN of the DS record (regular expression).
ttl - Optional. TTL value of the record.
view - Optional. The DNS view in which the record is located. By default, all DNS views are searched. But if you omit this attribute and specify a zone, the appliance searches the 'default' view only.
zone - Optional. A zone name in FQDN format.
# search the DS records in the default DNS view by zone name. my @retrieved_objs = $session->search( object => "Infoblox::DNS::Record::DS", name => ".*[.]com", view => "default" );
# search for all DS records in the "domain.com" zone of the default DNS view # Note that the 'default' view is assumed implicitly here my @retrieved_objs = $session->search( object => "Infoblox::DNS::Record::DS", zone => "domain.com", );
This section describes all the methods that can be used to retrieve the attribute values of a DS Record object.
Use this method to retrieve the public key encryption algorithm of the DNSKEY record of the given DS record.
none
The method returns the public key encryption algorithm attribute value. Returned values are one of the following:
#Get the public key encryption algorithm. my $algorithm = $ds_record->algorithm();
Use this method to retrieve cloud API related information for the Infoblox::DNS::Record::DS object.
None
The method returns the attribute value.
# Get cloud_info my $cloud_info = $object->cloud_info();
Use this method to retrieve the DS record creator. This is a read-only attribute.
None
The method returns the attribute value.
# Get attribute value my $value = $object->creator();
Use this method to retrieve the digest of the DNSKEY resource record that is stored in a DS Record object.
none
The method returns the digest of the corresponding DNSKEY RR attribute value.
#Get the digest of the DNSKEY RR my $digest = $ds_record->digest();
Use this method to retrieve the algorithm that is used to construct the digest stored in the digest field.
none
The method returns the algorithm that is used to construct the digest attribute value.
#Get the algorithm used to construct the digest. my $digest_type = $ds_record->digest_type();
Use this method to retrieve the FQDN, in punycode format, of the DNSKEY record referred by the DS Record object. This is a read-only attribute.
None
The method returns the attribute value.
# Get attribute value my $value = $ds_record->dns_name();
Use this method to retrieve the key tag of the DNSKEY RR that is referred by the given DS Record object.
none
The method returns the key tag attribute value. The key tag is used to identify the public keys that belong to the different DS records. The returned value is an unsigned 16 bit integer.
#Get key-tag my $key_tag = $ds_record->key_tag();
Use this method to retrieve the time when the associated record was last queried. This is a read-only attribute.
None
The method returns the attribute value. The number of seconds that have elapsed since January 1st, 1970 UTC.
#Get last_queried my $last_queried = $ds_record->last_queried();
Use this method to retrieve the FQDN of the DNSKEY record referred by the DS Record object.
The attribute value can be in unicode format.
none
The method returns the FQDN of the DNSKEY record that corresponds to the DS record.
#Get FQDN of the DS record my $name = $ds_record->name();
Use this method to retrieve the Time to Live (TTL) value of a DS Record object.
none
The method returns the TTL attribute value. The returned parameter is a 32-bit integer (range from 0 to 4294967295) that represents the duration, in seconds, that the record is cached. Zero indicates that the record should not be cached.
#Get TTL my $ttl = $ds_record->ttl();
Use this method to retrieve the DNS view object that contains the DS Record object.
none
The method returns the Infoblox::DNS::View object that contains the DS record.
#Get Ref to the view object my $view = $ds_record->view();
Use this method to retrieve the zone name of a DS record.
none
Returns the zone name in FQDN format.
# Get zone my $zone = $ds_record->zone();
The following sample code demonstrates the session methods on a DS Record object.
#PROGRAM STARTS: Include all the modules that will be used use strict; use Infoblox;
#Create a session to the Infoblox device my $session = Infoblox::Session->new( master => "192.168.1.2", username => "admin", password => "infoblox" ); unless ($session) { die("Construct session failed: ", $session->status_code() . ":" . $session->status_detail()); } print "Session created successfully\n";
#Enable DNSSEC in the default view
my $default_view=$session->get(
object=> "Infoblox::DNS::View",
name => "default"
);
unless($default_view) {
die("Getting the default view failed:",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Got the default view successfully\n";
$default_view->dnssec_enabled("true")
or die("Changing the dnssec_enabled in the default view failed:",
Infoblox::status_code() . ":" . Infoblox::status_detail());
$session->modify($default_view)
or die("Changing the dnssec_enabled in the default view failed:",
Infoblox::status_code() . ":" . Infoblox::status_detail());
#Create the zone
print "Creating Member primary server for the zone\n";
my $primary=Infoblox::DNS::Member->new(
ipv4addr => "192.168.1.2",
name => "infoblox.localdomain"
);
unless($primary) {
die("Unable to create primary server object: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
my $zone = Infoblox::DNS::Zone->new(
name => "domain.com",
primary => $primary
);
unless ($zone) {
die("Construct zone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Zone object created successfully\n";
#Verify if the zone exists
my $object = $session->get(object => "Infoblox::DNS::Zone", name => "domain.com");
unless ($object) {
print "Zone does not exist on server, safe to add the zone\n";
$session->add($zone)
or die("Add zone failed: ",
$session->status_code() . ":" . $session->status_detail());
}
print "Zone added successfully\n";
#Retrieving zone back from the server in order to sign it
$zone = $session->get(object => "Infoblox::DNS::Zone", name => "domain.com");
unless($zone) {
die("Retrieving zone back failed: ",
Infoblox::status_code( ). ":". Infoblox::status_detail( ));
}
print "Zone retrieved for signing successfully.\n";
$zone->dnssec_ksk_algorithm("NSEC3RSASHA1") &&
$zone->dnssec_zsk_algorithm("NSEC3RSASHA1") &&
$zone->dnssec_ksk_size(640) &&
$zone->dnssec_zsk_size(640)
or die("Changing the zone DNSSEC setting failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
$session->modify($zone)
or die("Modifying dnssec values in zone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Zone modified successfully\n";
#Signing the zone
$zone->dnssec_signed("true")
or die("Signing of the zone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Zone signed successfully\n";
# In order to have DS records in the parent zone we need to have a signed subzone
my $subzone = Infoblox::DNS::Zone->new(
name => "subzone.domain.com",
primary => $primary
);
unless ($subzone) {
die("Construct subzone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Zone object created successfully\n";
#Verify if the subzone exists
my $object = $session->get(object => "Infoblox::DNS::Zone", name => "subzone.domain.com");
unless ($object) {
print "Subzone does not exist on server, safe to add the subzone\n";
$session->add($subzone)
or die("Add subzone failed: ",
$session->status_code() . ":" . $session->status_detail());
}
print "Subzone added successfully\n";
#Retrieving subzone back from the server in order to sign it
$subzone = $session->get(object => "Infoblox::DNS::Zone", name => "subzone.domain.com");
unless($subzone) {
die("Retrieving subzone back failed: ",
Infoblox::status_code( ). ":". Infoblox::status_detail( ));
}
print "Subzone retrieved for signing successfully.\n";
$subzone->dnssec_ksk_algorithm("NSEC3DSA") &&
$subzone->dnssec_zsk_algorithm("NSEC3DSA") &&
$subzone->dnssec_ksk_size(640) &&
$subzone->dnssec_zsk_size(640)
or die("Changing the subzone DNSSEC setting failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
$session->modify($subzone)
or die("Modifying dnssec values in subzone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Subzone modified successfully\n";
#Signing the subzone
$subzone->dnssec_signed("true")
or die("Signing of the subzone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Subzone signed successfully\n";
#Getting the DNSKEY record for subzone
my $ksk_dnskey=$session->get(
object => "Infoblox::DNS::Record::DNSKEY",
flags => 257,
name => "subzone.domain.com",
view => "default"
);
unless($ksk_dnskey) {
die("Getting ksk_dnskey failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Got Key-signing key DNSKEY record successfully\n";
#Retrieving the DS record corresponding to the given DNSKEY
my $ds_record=$session->get(
object => "Infoblox::DNS::Record::DS",
name => "subzone.domain.com",
key_tag => $ksk_dnskey->key_tag(),
view => "default"
);
unless($ds_record) {
die("Getting DS record corresponding to ksk_dnskey failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Got the DS record corresponding to public key with key_tag ".$ksk_dnskey->key_tag()." successfully\n";
print "Digest value: ".$ds_record->digest()."\n";
#Searching for DS object
my @retrieved_objs=$session->search(
object => "Infoblox::DNS::Record::DS",
name => ".*com",
view => "default"
);
unless(@retrieved_objs>0) {
die("Searching for DS objects failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print scalar(@retrieved_objs)." DS objects successfully found by search\n";
#Removing the created zones and cleaning up the view
$session->remove($subzone)
or die("Unable to remove the subzone: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Subzone removed successfully\n";
$session->remove($zone)
or die("Unable to remove the zone: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Zone removed successfully\n";
$default_view->dnssec_enabled("false")
&& $default_view->override_dnssec("false")
&& $session->modify($default_view)
or die("Restoring dnssec_enabled value in the default view failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
####PROGRAM ENDS####
Infoblox Inc. http://www.infoblox.com/
Infoblox::Session, Infoblox::Session->get(), Infoblox::Session->search(), Infoblox::Session->remove(), Infoblox::DNS::Record::DNSKEY, Infoblox::DNS::View, Infoblox::DNS::Zone
Copyright (c) 2017 Infoblox Inc.