The London Perl and Raku Workshop takes place on 26th Oct 2024. If your company depends on Perl, please consider sponsoring and/or attending.

Changes for version 0.13

  • FEAT: 14588
    • Added support for passing (a reference to) an array of keys to the RRSIG verify function.
  • FIX/FEAT: The Net::DNS::SEC::Private function will for RSA based keys verify if the keytag in the filename is actually correct. Since at parsing the value of the DNSKEY RR flags is not known we test against the currently defined flag values 256 and 257.
    • If we cannot find a keytag match a warning is printed and Private key generation fails
    • This inconsistency was spotted by Jakob Shlyter.
  • FEAT: Added support for SHA256 to the DS RR. Assigned the expected digest type2 for SHA256 type hashes.
    • Note that this makes the Net::DNS::SEC depend on Digest::SHA instead of Digest::SHA1.
    • The default digest type is still set to 1.
    • NB. The code makes assumptions about the IANA assignment of the digest type. The assignment may change. Do not use SHA256 in production zones!!
  • FIX: #15662
    • Roy Arends noticed and patched the label counting did not ignore an initial asterisk label.
  • FIX: Wes Hardaker noticed the default TTL values for created signatures to be different from the TTLs from the data that is being signed.
  • FIX: Wes Hardaker reported there was a problem with validating RRsets that had ownernames with capitals. The fix depends on a fix in Net::DNS::RR that is available in version 0.53_03 or later of the Net::DNS distribution.
  • FEAT: Propper dealing with mnemonics for algorithm and digest type added to DS
  • FIX/FEAT: Mnemonics were written as RSA/MD5 and RSA/SHA1. This has been corrected tp RSASHA1 and RSAMD5, as in the IANA registry.

Changes for version 0.12_02

  • Bug: new_from_hash would not correctly create the RR since internally typebm is used to store the data this has been fixed so that the following works
    • Net::DNS::RR->new(name=>$name, ttl=>$ttl, type=>"NSEC", nxtdname=>$nxtdname, typelist=>join(" ",@types) );
  • FEAT: Introduced the "use bytes" pragma to force character interpretation of all the scalars. Any utf processing by perl makes the code behave unpredictable.

Changes for version 0.12_01

  • FEAT (!!!): Changed the symantics of the Net::DNS::Keyset::verify method. Read the perldoc for details. The requirement that each key in a keyset has to be selfsigned has been loosened.
  • FEAT: Added a "carp" to the new methods of the NXT RR. Warning that that record is depricated.
  • FEAT: Cleaned the tests so that RRSIG and DNSKEY are used except for SIG0 based tests.
  • FEAT: Changed the name of the siginceptation[SIC] to siginception. Thanks Jakob Schlyter for notifying me of this mistyping. An alias for the method remains available.
  • FEAT: Renamed unset_sep() to clear_sep().
  • NOTE: To avoid confusion the Net::DNS::SIG::Private class has been removed. Use Net::DNS::SEC::Private!
  • DOC: Added references to RFC 4033, RFC 4034 and RFC 4035. Rewrote parts of the perlpod.


DS extraction demo
Utility to convert a DNSSEC KEY to a DS record
create a self-signed keyset


DNSSEC Keyset object class
DNS DNSKEY resource record
DNS DS resource record
DNS KEY resource record
DNS NSEC resource record
DNS NXT resource record
DNS RRSIG resource record
DNS SIG resource record
DNSSEC extensions to Net::DNS
DNS SIG Private key object