Infoblox::DNS::Record::NSEC3 - NSEC3 Record object.
The NSEC3 resource record is a part of DNS security extension (DNSSEC) authentication mechanism. It is used for authenticated denial of existence of DNS Resource record sets in the DNSSEC signed authoritative zones. The functionality that NSEC3 records provide is similar to the functionality of NSEC records, but NSEC3 includes cryptographic protection against zone enumeration.
The NSEC3 resource record is desribed in RFC 5155.
All the NSEC3 records are automatically generated during signing of the corresponding zone.
The Infoblox::DNS::Record::NSEC3 object is a read-only object and does not require manual construction.
This section describes all the methods in an Infoblox::Session that can be applied to an NSEC3 Record object.
Use this method to retrieve the existing objects from an Infoblox appliance. See Infoblox::Session->get() for parameters and return values.
Apply the following attributes to get the NSEC3 Record object(s):
flags - Optional. Integer containing 8 one-bit flags that can be used to indicate different processing.
hash_algorithm - Optional. Integer representing the cryptographic hash algorithm used to construct the hash-value.
iterations - Optional. Number of additional times the hash function has been performed.
name - Optional. FQDN of the NSEC3 record (contains zone name and the hashed record name).
next_hash_owner - Optional. Next hashed owner name in hash order.
salt - Optional. Salt value.
ttl - Optional. TTL value.
types - Optional. Identifies the RRSet types that exist at the original owner name of the NSEC3 RR.
view - Optional. The DNS view in which the record is located. By default, all DNS views are searched. But if you omit this attribute and specify a zone, the appliance searches the 'default' view only.
zone - Optional. A zone name in FQDN format.
# get all the NSEC3 records corresponding to 'A' records in the default DNS view. my @retrieved_objs = $session->get( object => "Infoblox::DNS::Record::NSEC3", types => "A", view => "default" );
Use this method to retrieve the existing objects from an Infoblox appliance. See Infoblox::Session->search() for parameters and return values.
Apply the following attributes to search the NSEC3 Record object(s):
flags - Optional. Integer containing 8 one-bit flags that can be used to indicate different processing.
hash_algorithm - Optional. Integer representing the cryptographic hash algorithm used to construct the hash-value.
iterations - Optional. Number of additional times the hash function has been performed.
name - Optional. FQDN of the NSEC3 record (contains zone name and the hashed record name). Regular expression
next_hash_owner - Optional. Next hashed owner name in hash order (regular expression).
salt - Optional. Salt value (regular expression).
ttl - Optional. TTL value.
types - Optional. Identifies the RRSet types that exist at the original owner name of the NSEC3 RR (regular expression).
view - Optional. The DNS view in which the record is located. By default, all DNS views are searched. But if you omit this attribute and specify a zone, the appliance searches the 'default' view only.
zone - Optional. A zone name in FQDN format.
# get all the NSEC3 records in the zone test.com. my @retrieved_objs = $session->get( object => "Infoblox::DNS::Record::NSEC3", name => ".*test[.]com", );
# search for all NSEC3 records in the "domain.com" zone of the default DNS view # Note that the 'default' view is assumed implicitly here my @retrieved_objs = $session->search( object => "Infoblox::DNS::Record::NSEC3", zone => "domain.com", );
This section describes all the methods that can be used to retrieve the attribute values of an NSEC3 Record object.
Use this method to retrieve cloud API related information for the Infoblox::DNS::Record::NSEC3 object.
None
The method returns the attribute value.
# Get cloud_info my $cloud_info = $object->cloud_info();
Use this method to retrieve the NSEC3 record creator. This is a read-only attribute.
None
The method returns the attribute value.
# Get attribute value my $value = $object->creator();
Use this method to retrieve the flags field of an NSEC3 Record object.
none
The method returns the integer that contains 8 one-bit flags that can be used to indicate different processing. Currently only the least significant bit of the flags field is meaningful. It represents the opt-out flag, which is used to determine the processing of non-secure delegations.
#Get the flags field. my $flags = $nsec3->flags();
Use this method to retrieve the cryptographic hash algorithm used to construct the hash value of an NSEC3 Record object.
none
The method returns an integer that corresponds to the cryptographic hash algorithm used to construct the hash value.
#Get hash algorithm my $hash_algorithm = $nsec3->hash_algorithm();
Use this method to retrieve the number of iterations of the hash function performed to obtain the hashed name.
none
The method returns the number of additional times the hash function has been performed to compute the hash value. This is an integer in the range 0 through 65535, inclusive.
#Get the iterations parameter my $iterations = $nsec3->iterations();
Use this method to retrieve the name of NSEC3 record in FQDN format. The name of NSEC3 record consists of the hashed owner name prepended to the name of the zone, containing NSEC3 record.
none
The method returns the name of NSEC3 record.
#Get the NSEC3 record name my $name = $nsec3->name();
Use this method to retrieve the next hashed owner name. This is a hash of an owner name that immediately follows the owner name of the given NSEC3 record in the hash order.
none
The method returns the next hashed owner name. It is a string in base-32 encoding.
#Get the next hashed owner name my $next_hash_owner = $nsec3->next_hash_owner();
Use this method to retrieve the salt value of a NSEC3 record. The salt is prepended to the original owner name before hashing and on each of the hash iterations in order to defend against pre-calculated dictionary attacks.
none
The method returns a salt value. The returned value is a string containing a sequence of hexadecimal digits representing the salt or '-' if the salt is not used.
#Get the salt my $salt = $nsec3->salt();
Use this method to retrieve the Time to Live (TTL) value of a NSEC3 Record object.
none
The method returns the TTLattribute value. The returned parameter is a 32-bit integer (range from 0 to 4294967295) that represents the duration in seconds that the record is cached. Zero indicates that the record should not be cached.
#Get TTL my $ttl = $nsec3->ttl();
Use this method to retrieve the types field of an NSEC3 record. Types field identifies the RRSet types that exist at the original owner name of the NSEC3 RR.
none
The method returns the RRSet types that exist at the original owner name of the NSEC3 RR attribute value. The returned value is a string containing space separated RR types mnemonics, e.g. "NS SOA RRSIG DNSKEY NSEC3PARAM".
#Get the types field value my $types = $nsec3->types();
Use this method to retrieve the DNS view object that contains the NSEC3 Record object.
none
The method returns the Infoblox::DNS::View object that contains the NSEC3 record.
#Get the DNS view my $view = $nsec3->view();
Use this method to retrieve the zone name of a NSEC3 record.
none
Returns the zone name of the zone that contains the NSEC3 record. The zone name is in FQDN format.
# Get zone my $zone = $nsec3->zone();
The following sample code demonstrates the session methods on a NSEC3 Record object.
#PROGRAM STARTS: Include all the modules that will be used use strict; use Infoblox;
#Create a session to the Infoblox device my $session = Infoblox::Session->new( master => "192.168.1.2", username => "admin", password => "infoblox" ); unless ($session) { die("Construct session failed: ", $session->status_code() . ":" . $session->status_detail()); } print "Session created successfully\n";
#Enable DNSSEC in the default view
my $default_view=$session->get(
object=> "Infoblox::DNS::View",
name => "default"
);
unless($default_view) {
die("Getting the default view failed:",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Got the default view successfully\n";
$default_view->dnssec_enabled("true")
or die("Changing the dnssec_enabled in the default view failed:",
Infoblox::status_code() . ":" . Infoblox::status_detail());
$session->modify($default_view)
or die("Changing the dnssec_enabled in the default view failed:",
Infoblox::status_code() . ":" . Infoblox::status_detail());
#Create a signed zone and populate it with an A record
print "Creating Member primary server for the zone\n";
my $primary=Infoblox::DNS::Member->new(
ipv4addr => "192.168.1.2",
name => "infoblox.localdomain",
);
unless($primary) {
die("Unable to create primary server object: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
my $zone = Infoblox::DNS::Zone->new(
name => "domain.com",
primary => $primary
);
unless ($zone) {
die("Construct zone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Zone object created successfully\n";
#Verify if the zone exists
my $object = $session->get(object => "Infoblox::DNS::Zone", name => "domain.com");
unless ($object) {
print "Zone does not exist on server, safe to add the zone\n";
$session->add($zone)
or die("Add zone failed: ",
$session->status_code() . ":" . $session->status_detail());
}
print "Zone added successfully\n";
#Adding A record to the zone to demonstrate the corresponding NSEC3 record
my $a_record=Infoblox::DNS::Record::A->new(
ipv4addr => "10.9.8.7",
name => "recorda.domain.com"
);
unless($a_record) {
die("Creating A record failed : ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
$object = $session->get( object => "Infoblox::DNS::Record::A", name => "recorda.domain.com" );
unless ($object) {
print "A record does not exist on the server, safe to add the A record\n";
$session->add($a_record)
or die("Adding A record failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "A record added to the zone successfully\n";
#Retrieving zone back from the server in order to sign it
$zone = $session->get(object => "Infoblox::DNS::Zone", name => "domain.com");
unless($zone) {
die("Retrieving zone back failed: ",
Infoblox::status_code( ). ":". Infoblox::status_detail( ));
}
print "Zone retrieved for signing successfully.\n";
$zone->dnssec_ksk_algorithm("NSEC3RSASHA1") &&
$zone->dnssec_zsk_algorithm("NSEC3RSASHA1") &&
$zone->dnssec_ksk_size(640) &&
$zone->dnssec_zsk_size(640)
or die("Changing the zone DNSSEC setting failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
$session->modify($zone)
or die("Modifying dnssec values in zone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Zone modified successfully\n";
#Signing the zone
$zone->dnssec_signed("true")
or die("Signing of the zone failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Zone signed successfully\n";
#Getting the NSEC3 record corresponding to the A record
my $nsec3_record_a=$session->get(
object => "Infoblox::DNS::Record::NSEC3",
types => "A RRSIG",
view => "default"
);
unless($nsec3_record_a) {
die("Getting NSEC3 corresponding to the A record failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Got NSEC3 record successfully, name value: ".$nsec3_record_a->name()."\n";
#Searching for NSEC3 objects using regular expressions
my @retrieved_objs=$session->search(
object => "Infoblox::DNS::Record::NSEC3",
name => ".*domain[.]com",
types => "A|MX|SOA",
view => "default"
);
unless(@retrieved_objs>0) {
die("Searching for NSEC3 objects failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
}
print "Search for the NSEC3 objects successful, ".scalar(@retrieved_objs)." objects found\n";
#Removing the created zone and cleaning up the view
$session->remove($zone)
or die("Unable to remove the zone: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
print "Zone removed successfully\n";
$default_view->dnssec_enabled("false")
&& $default_view->override_dnssec("false")
&& $session->modify($default_view)
or die("Restoring dnssec_enabled value in the default view failed: ",
Infoblox::status_code() . ":" . Infoblox::status_detail());
####PROGRAM ENDS####
Infoblox Inc. http://www.infoblox.com/
Infoblox::Session, Infoblox::Session->get(), Infoblox::Session->search(), Infoblox::DNS::Record::NSEC, Infoblox::DNS::Record::NSEC3PARAM, Infoblox::DNS::View, Infoblox::DNS::Zone
Copyright (c) 2017 Infoblox Inc.