Net_DNS2 v1.3.0 – More DNSSEC Features

This release includes many new DNSSEC changes, including a new, simple “dnssec” flag that tells the server to send all the DNSSEC related resource records for the given zone, as well as include the AD flag indicating if the data is authentic. This is analogous to the “+dnssec” option on the command line dig command.

Setting “dnssec” to true makes Net_DNS2 automatically add an OPT record to the additional section of the request, with the DO bit set to 1, indicating that we would like the DNSSEC information related to the given zone.

$resolver = new Net_DNS2_Resolver(array('nameservers' => array('8.8.8.8')));

$resolver->dnssec = true;

$result = $resolver->query('org', 'SOA', 'IN');

print_r($result);

Produces:

Net_DNS2_Packet_Response Object
(
    [answer_from] => 8.8.8.8
    [answer_socket_type] => 2
    [header] => Net_DNS2_Header Object
        (
            [id] => 31102
            [qr] => 1
            [opcode] => 0
            [aa] => 0
            [tc] => 0
            [rd] => 1
            [ra] => 1
            [z] => 0
            [ad] => 1
            [cd] => 0
            [rcode] => 0
            [qdcount] => 1
            [ancount] => 2
            [nscount] => 0
            [arcount] => 1
        )

    [question] => Array
        (
            [0] => Net_DNS2_Question Object
                (
                    [qname] => org
                    [qtype] => SOA
                    [qclass] => IN
                )

        )

    [answer] => Array
        (
            [0] => Net_DNS2_RR_SOA Object
                (
                    [mname] => a0.org.afilias-nst.info
                    [rname] => noc.afilias-nst.info
                    [serial] => 2010472684
                    [refresh] => 1800
                    [retry] => 900
                    [expire] => 604800
                    [minimum] => 86400
                    [name] => org
                    [type] => SOA
                    [class] => IN
                    [ttl] => 886
                    [rdlength] => 51
                )

            [1] => Net_DNS2_RR_RRSIG Object
                (
                    [typecovered] => SOA
                    [algorithm] => 7
                    [labels] => 1
                    [origttl] => 900
                    [sigexp] => 20130429014033
                    [sigincep] => 20130408004033
                    [keytag] => 31380
                    [signname] => org
                    [signature] => KBWEIC7BTypmbMTPU2KjCkPDbN1tV29ShWqa2zoGb4uQcRDBgYhz2ajpOaaJPrK+YY2E7BavLI+kulhJn9r/5kjXlOHQG/34B+OFlQwTTwHIRqtSmBu1qJorJSrSObQGVjZt4hteNVF6rfbS2u1m/Rh43eaoVCHfhJaeyr+MzLA=
                    [name] => org
                    [type] => RRSIG
                    [class] => IN
                    [ttl] => 886
                    [rdlength] => 151
                )

        )

    [authority] => Array
        (
        )

    [additional] => Array
        (
            [0] => Net_DNS2_RR_OPT Object
                (
                    [option_code] => 
                    [option_length] => 0
                    [option_data] => 
                    [extended_rcode] => 0
                    [version] => 0
                    [do] => 1
                    [z] => 0
                    [name] => 
                    [type] => OPT
                    [class] => 512
                    [ttl] => 32768
                    [rdlength] => 0
                    [rdata] => 
                )

        )
)

You can see that the response includes the original OPT RR in the additional section, with the DO bit set to 1. The header section also includes the AD bit set to 1, indicating that the server considers the data authentic.

I’ve also included the ability to adjust the AD flag  when making a query (to indicate to the server that we’d like the value of the AD bit, without having to set the DO bit in the OPT RR – see RFC6840 section 5.7), and to adjust the CD flag (telling the server that the client will perform it’s own signature validation).

Net_DNS2 does not validate the DNSSEC signatures itself, but it does provide all the data from DNS needed so that users can. Future versions of Net_DNS2 may provide support for this.

See the change log page for a full list of changes in this release.

You can install Net_DNS2 version 1.3.0 directly from PEAR, using the command line PEAR installer:

pear install Net_DNS2

Net_DNS2 v1.2.5 – DANE TLSA Support

I’ve released version 1.2.5 of the PEAR Net_DNS2 library- you can install it now through the command line PEAR installer:

pear install Net_DNS2

This release includes some important fixes to the way I was calculating the offset values when building the DNS packets. Here is the full list of changes for this release:

  • changed the socket_connect() code to start off non-blocking, and call select() after connect() so a timeout on a invalid server works properly
  • added the new TLSA RR – RFC 6698
  • fixed the socket defines again; apparently the values of the SOCK are different under solaris
  • changed the Net_DNS2_Updater::update() so you can pass a reference to a variable that will be populated with the response object
  • moved the lines that add the response server/type to after the is_null() check- it should have been there to begin with.
  • fixed a whole bunch of cases where I wasn’t incrementing the offset values properly
  • added support to set the RD (recursion desired) bit when making a request

Net_DNS2 v1.2.1 Released

I’ve released version 1.2.1 of the PEAR Net_DNS2 library- you can install it now through the command line PEAR installer:

pear install Net_DNS2

This is just a small maintenance release to fix a few bugs:

  • changed the Net_DNS2_Sockets::_sock property from private to protected; this was causing some problems when the request was failing.
  • PHP doesn’t support unsigned integers, but many of the RR’s return unsigned values (like SOA), so there is the possibility that the value will overrun on 32bit systems, and you’ll end up with a negative value. So a new function was added to convert the negative value to a string with the correct unsigned value.

Net_DNS2 v1.2.0 – CAA, URI, TALINK, CDS and TA Resource Records

I’ve released a new version of the PEAR Net_DNS2 library- you can install it now through the command line PEAR installer:

pear install Net_DNS2

This release includes a significant speed-up with the local cache by using JSON to encode the cache data, rather then the PHP serialize function. Using JSON loses the class information of the objects, but the data remains the same, and the serialization time is about half.

A Query lookup against Google DNS- NO cache

time: 0.0340800285339

        Net_DNS2_RR_A Object
        (
            [address] => 199.59.148.82
            [name] => twitter.com
            [type] => A
            [class] => IN
            [ttl] => 28
            [rdlength] => 4
            [rdata] => 
        )

with cache + serialize

time: 0.00258994102478

        Net_DNS2_RR_A Object
        (
            [address] => 199.59.148.82
            [name] => twitter.com
            [type] => A
            [class] => IN
            [ttl] => 28
            [rdlength] => 4
            [rdata] => 
        )

with cache + json

time: 0.00178384780884

        stdClass Object
        (
            [address] => 199.59.148.82
            [name] => twitter.com
            [type] => A
            [class] => IN
            [ttl] => 28
            [rdlength] => 4
            [rdata] => 
        )

Version 1.2.0

This version changes the way some exceptions are thrown, and may break your code!

  • added numeric error codes to the Lookups class, and had each method that throws an exception throw a numeric error code along with the message.
  • dropped all references to InvalidArgumentException; we only use the Net_DNS2_Exception from now on.
  • added the CAA, URI, TALINK, CDS and TA resource records. Some of these are experimental, but are pretty straight forward.
  • fixed a bug in formatString(); my version was only putting double quotes around strings that have spaces, but apparently ALL strings should have double quotes around them. This is how BIND does it.
  • re-organized the Net_DNS2_Lookups initialization code; it no longer creates a global object of itself.
  • fixed a bug in the caching code; in some cases it wouldn’t cache the same content more then once.
  • added an option to use JSON to serialize the cache data rather than using the PHP serialize function. JSON is much faster, but loses the class definition, and becomes a stdClass object.
  • fixed a handful of cases where I was using double quotes (“) where a single quote (‘) would be fine.

Net_DNS2 v1.1.0 – Released

Net_DNS2 version 1.1.0 is now available for download from the PEAR site, or can be installed using the “pear” command line client like:

pear install Net_DNS2

This release includes support for signing DNS updates and zone transfers (AXFR’s) using SIG(0), a private/public key authentication mechanism. The OpenSSL PHP extension is required for this feature to work.

//
// create a new Updater object
//
$u = new Net_DNS2_Updater('example.com', array('nameservers' => array('192.168.0.1')));

//
// add a SIG(0) to authenticate the request
//
$u->signSIG0('/etc/namedb/Kexample.com.+001+15765.private');

//
// send the update rquest.
//
$u->update();

Support for the ATMA resource record- a method for publishing ATM addresses via DNS.

@      IN    SOA    name1.data.example.com.  name4.data.example.com. (
                                  1994041800   ; Serial  - date
                                  1800         ; Refresh - 30 minutes
                                  300          ; Retry   - 5 minutes
                                  604800       ; Expire  - 7 days
                                  3600 )       ; Minimum - 1 hour
       IN    NS     name1.data.example.com.
       IN    NS     ns.example.com.
;

salmon IN    ATMA   39.246f.000e7c9c031200010001.000012345678.00

And a new simple local cache system, using shared memory (using the PHP Shmop Extension), or using a flat file.

$r = new Net_DNS2_Resolver(array(

        'cache_type'    => 'shared',
        'cache_file'    => '/tmp/net_dns2.cache',
        'cache_size'    => 100000
));

Caching is disabled by default, and is only used for DNS queries (and not for updates), but can drastically improve query performance.