This release includes many new DNSSEC changes, including a new, simple “dnssec” flag that tells the server to send all the DNSSEC related resource records for the given zone, as well as include the AD flag indicating if the data is authentic. This is analogous to the “+dnssec” option on the command line dig command.
Setting “dnssec” to true makes Net_DNS2 automatically add an OPT record to the additional section of the request, with the DO bit set to 1, indicating that we would like the DNSSEC information related to the given zone.
$resolver = new Net_DNS2_Resolver(array('nameservers' => array('126.96.36.199'))); $resolver->dnssec = true; $result = $resolver->query('org', 'SOA', 'IN'); print_r($result);
Net_DNS2_Packet_Response Object ( [answer_from] => 188.8.131.52 [answer_socket_type] => 2 [header] => Net_DNS2_Header Object ( [id] => 31102 [qr] => 1 [opcode] => 0 [aa] => 0 [tc] => 0 [rd] => 1 [ra] => 1 [z] => 0 [ad] => 1 [cd] => 0 [rcode] => 0 [qdcount] => 1 [ancount] => 2 [nscount] => 0 [arcount] => 1 ) [question] => Array (  => Net_DNS2_Question Object ( [qname] => org [qtype] => SOA [qclass] => IN ) ) [answer] => Array (  => Net_DNS2_RR_SOA Object ( [mname] => a0.org.afilias-nst.info [rname] => noc.afilias-nst.info [serial] => 2010472684 [refresh] => 1800 [retry] => 900 [expire] => 604800 [minimum] => 86400 [name] => org [type] => SOA [class] => IN [ttl] => 886 [rdlength] => 51 )  => Net_DNS2_RR_RRSIG Object ( [typecovered] => SOA [algorithm] => 7 [labels] => 1 [origttl] => 900 [sigexp] => 20130429014033 [sigincep] => 20130408004033 [keytag] => 31380 [signname] => org [signature] => KBWEIC7BTypmbMTPU2KjCkPDbN1tV29ShWqa2zoGb4uQcRDBgYhz2ajpOaaJPrK+YY2E7BavLI+kulhJn9r/5kjXlOHQG/34B+OFlQwTTwHIRqtSmBu1qJorJSrSObQGVjZt4hteNVF6rfbS2u1m/Rh43eaoVCHfhJaeyr+MzLA= [name] => org [type] => RRSIG [class] => IN [ttl] => 886 [rdlength] => 151 ) ) [authority] => Array ( ) [additional] => Array (  => Net_DNS2_RR_OPT Object ( [option_code] => [option_length] => 0 [option_data] => [extended_rcode] => 0 [version] => 0 [do] => 1 [z] => 0 [name] => [type] => OPT [class] => 512 [ttl] => 32768 [rdlength] => 0 [rdata] => ) ) )
You can see that the response includes the original OPT RR in the additional section, with the DO bit set to 1. The header section also includes the AD bit set to 1, indicating that the server considers the data authentic.
I’ve also included the ability to adjust the AD flag when making a query (to indicate to the server that we’d like the value of the AD bit, without having to set the DO bit in the OPT RR – see RFC6840 section 5.7), and to adjust the CD flag (telling the server that the client will perform it’s own signature validation).
Net_DNS2 does not validate the DNSSEC signatures itself, but it does provide all the data from DNS needed so that users can. Future versions of Net_DNS2 may provide support for this.
See the change log page for a full list of changes in this release.
You can install Net_DNS2 version 1.3.0 directly from PEAR, using the command line PEAR installer:
pear install Net_DNS2
Or download it directly from the Google Code page here.
NET-DNS2, Ver 1.3.1, Gentoo box, fully up to date.
I’ve decided I want to lookup some data (MX Record of “diver.co.za” (DNSSEC at ISC’s DLV)).
Decided to add DNSSEC and look for the AD bit – so I can be cute and add a picture of a padlock.
Without DNSSEC – everything is fine. With DNSSEC=”true”, the “Catch” exception generates error else where.
Removed the Try/Catch, Adding DNSSEC, I’m getting:
Fatal error: Uncaught exception ‘Net_DNS2_Exception’ with message ‘failed to parse resource record: failed to expand name.’ in /usr/share/php/Net/DNS2/RR.php:424 Stack trace: #0 /usr/share/php/Net/DNS2/Packet/Response.php(171): Net_DNS2_RR::parse(Object(Net_DNS2_Packet_Response)) #1 /usr/share/php/Net/DNS2/Packet/Response.php(89): Net_DNS2_Packet_Response->set(‘\xB9\xE6\x81\xA0\x00\x01\x00\x04\x00\x04\x00\t\x05di…’, 512) #2 /usr/share/php/Net/DNS2.php(1126): Net_DNS2_Packet_Response->__construct(‘\xB9\xE6\x81\xA0\x00\x01\x00\x04\x00\x04\x00\t\x05di…’, 512) #3 /usr/share/php/Net/DNS2/Resolver.php(212): Net_DNS2->sendPacket(Object(Net_DNS2_Packet_Request), false) #4 /home/www/vweb.co.za/web/pop-test-inc.php(22): Net_DNS2_Resolver->query(‘diver.co.za’, ‘MX’)
Running the above script, I also get [rdata] for almost every array structure – which is largly unprintable data (and probably pointless?). Looks like the raw wire data.
It looks like it’s having a problem parsing the DNS response; it’s possible it’s malformed in some way.
I tried the same DNS request, with DNSSEC bit set, and it worked fine- can you post your code? You can also post it here:
might be a little easier than through the block here,
@Mark Check that your mbstring.func_overload INI setting is 0 (or at least doesn’t & in 2), because Net_DNS2 needs byte-level access to strings and mbstring extension can make those behave multi-byte. See also https://github.com/mikepultz/netdns2/issues/41