This file shows how to do common tasks with Dnsruby :

require 'rubygems' require 'dnsruby' include Dnsruby

Use the system configured nameservers to run a query

res = Resolver.new ret = res.query("example.com") # Defaults to A record a_recs = ret.answer.rrset("A")

Use a defined nameserver to run an asynchronous query

with no recursion

res = Resolver.new(=> ["a.iana-servers.net", "b.iana-servers.net"]) queue = Queue.new m = Message.new("example.com", Types.NS) m.header.rd = false res.send_async(m, queue, 1)

... do some other stuff ...

id, reply, error = queue.pop if (error) print "Error : #error\n" else

See where the answer came from

print "Got response from : #replyreply.answerfrom, #replyreply.answerip\n" end

Use a Recursor to recursively query authoritative nameservers,

starting from the root. Note that a cache of authoritative servers

is built up for use by future queries by any Recursors.

rec = Recursor.new ret = rec.query("uk-dnssec.nic.uk", "NS")

Ask Dnsruby to send the query without using the cache.

m.do_caching = false ret = res.send_message(m)

Ask Dnsruby to send a Message without doing any pre- or post-processing

ret = res.send_plain_message(Message.new("example.com"))

Send a TSIG signed dynamic update to a resolver

and verify the response

res = Dnsruby::Resolver.new("ns0.validation-test-servers.nominet.org.uk") res.dnssec = false tsig = Dnsruby::RR.create({ :name => "rubytsig", :type => "TSIG", :ttl => 0, :klass => "ANY", :algorithm => "hmac-md5", :fudge => 300, :key => "8n6gugn4aJ7MazyNlMccGKH1WxD2B3UvN/O/RA6iBupO2/03u9CTa3Ewz3gBWTSBCH3crY4Kk+tigNdeJBAvrw==", :error => 0 }) update = Dnsruby::Update.new("validation-test-servers.nominet.org.uk")

... add stuff to the update

update.absent("notthere.update.validation-test-servers.nominet.org.uk", 'TXT') tsig.apply(update) response = res.send_message(update) print "TSIG response was verified? : #responseresponse.verified?\n"

DNSSEC stuff

Load the ISC DLV key and query some signed zones

dlv_key = RR.create("dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh") Dnssec.add_dlv_key(dlv_key) res = Recursor.new ret = res.query("frobbit.se", "NS") print "Security level for signed zone from DLV : #retret.security_level\n" frobbit_servers = ret.answer.rrset("frobbit.se", Types.NS)

and query for a zone which is not signed

r = Resolver.new ret = r.query("ed.ac.uk") print "Security level of unsigned zone : #retret.security_level\n"

res = Resolver.new frobbit_servers.rrs.each {|s| print "Adding nameserver : #{s.nsdname}\n"; res.add_server(s.nsdname)}

and some non-existent domains in signed ones

res.send_async(Message.new("notthere.frobbit.se"), queue, 2) id, reply, error = queue.pop print "Error returned from non-existent name in signed zone : #error, security level : #replyreply.security_level\n"

Clear the keys and caches

Dnsruby::Dnssec.clear_trusted_keys Dnsruby::Dnssec.clear_trust_anchors Dnsruby::PacketSender.clear_caches Dnsruby::Recursor.clear_caches

Load a specific trust anchor and query some signed zones

trusted_key = Dnsruby::RR.create({:name => "uk-dnssec.nic.uk.", :type => Dnsruby::Types.DNSKEY, :flags => 257, :protocol => 3, :algorithm => 5, :key=> "AQPJO6LjrCHhzSF9PIVV7YoQ8iE31FXvghx+14E+jsv4uWJR9jLrxMYm sFOGAKWhiis832ISbPTYtF8sxbNVEotgf9eePruAFPIg6ZixG4yMO9XG LXmcKTQ/cVudqkU00V7M0cUzsYrhc4gPH/NKfQJBC5dbBkbIXJkksPLv Fe8lReKYqocYP6Bng1eBTtkA+N+6mSXzCwSApbNysFnm6yfQwtKlr75p m+pd0/Um+uBkR4nJQGYNt0mPuw4QVBu1TfF5mQYIFoDYASLiDQpvNRN3 US0U5DEG9mARulKSSw448urHvOBwT9Gx5qF2NE4H9ySjOdftjpj62kjb Lmc8/v+z" }) Dnssec.add_trust_anchor(trusted_key) res = Dnsruby::Resolver.new("dnssec.nominet.org.uk") r = res.query("aaa.bigzone.uk-dnssec.nic.uk", Dnsruby::Types.DNSKEY) print "Security level of signed zone under manually install trusted key : #rr.security_level\n"

See if we are using a Recursor for DNSSEC queries

print "Using recursion to validate DNSSEC responses? : #Dnssec.do_validation_with_recursor?\n"