dnsruby 1.55 → 1.56.0

data/lib/dnsruby/resource/SPF.rb

@@ -0,0 +1,29 @@
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+module Dnsruby
+  class RR
+    # DNS SPF resource record
+
+    # This is a clone of the TXT record. This class therfore completely inherits
+    # all properties of the Dnsruby::Resource::TXT class.
+    # 
+    # Please see the Dnsruby::Resource::TXT documentation for details
+    # RFC 1035 Section 3.3.14, draft-schlitt-ospf-classic-02.txt
+    class SPF < TXT
+      TypeValue = Types::SPF #:nodoc: all
+    end
+  end
+end

data/lib/dnsruby/resource/SRV.rb

@@ -0,0 +1,112 @@
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+module Dnsruby
+  class RR
+    module IN
+      #  SRV resource record defined in RFC 2782
+      # 
+      #  These records identify the hostname and port that a service is
+      #  available at.
+      # 
+      #  The format is:
+      #    _Service._Proto.Name TTL Class SRV Priority Weight Port Target
+      # 
+      #  The fields specific to SRV are defined in RFC 2782
+      class SRV < RR
+        ClassHash[[TypeValue = Types::SRV, ClassValue = ClassValue]] = self #:nodoc: all
+
+        #  The priority of this target host.
+        #  A client MUST attempt
+        #  to contact the target host with the lowest-numbered priority it can
+        #  reach; target hosts with the same priority SHOULD be tried in an
+        #  order defined by the weight field.  The range is 0-65535.  Note that
+        #  it is not widely implemented and should be set to zero.
+        attr_accessor :priority
+
+        #  A server selection mechanism.
+        #  The weight field specifies
+        #  a relative weight for entries with the same priority. Larger weights
+        #  SHOULD be given a proportionately higher probability of being
+        #  selected. The range of this number is 0-65535.  Domain administrators
+        #  SHOULD use Weight 0 when there isn't any server selection to do, to
+        #  make the RR easier to read for humans (less noisy). Note that it is
+        #  not widely implemented and should be set to zero.
+        attr_accessor :weight
+
+        #  The port on this target host of this service.  The range is 0-65535.
+        attr_accessor :port
+
+        #  The domain name of the target host. A target of "." means
+        #  that the service is decidedly not available at this domain.
+        attr_accessor :target
+
+        def from_data(data) #:nodoc: all
+          @priority, @weight, @port, @target = data
+        end
+
+        def from_hash(hash)
+          if hash[:priority]
+            @priority = hash[:priority].to_i
+          end
+          if hash[:weight]
+            @weight = hash[:weight].to_i
+          end
+          if hash[:port]
+            @port = hash[:port].to_i
+          end
+          if hash[:target]
+            @target= Name.create(hash[:target])
+          end
+        end
+
+        def from_string(input)
+          if (input.length > 0)
+            names = input.split(" ")
+            @priority = names[0].to_i
+            @weight = names[1].to_i
+            @port = names[2].to_i
+            if (names[3])
+              @target = Name.create(names[3])
+            end
+          end
+        end
+
+        def rdata_to_string
+          if (@target!=nil)
+            return "#{@priority} #{@weight} #{@port} #{@target.to_s(true)}"
+          else
+            return ""
+          end
+        end
+
+        def encode_rdata(msg, canonical=false) #:nodoc: all
+          msg.put_pack("n", @priority)
+          msg.put_pack("n", @weight)
+          msg.put_pack("n", @port)
+          msg.put_name(@target,canonical)
+        end
+
+        def self.decode_rdata(msg) #:nodoc: all
+          priority, = msg.get_unpack("n")
+          weight,   = msg.get_unpack("n")
+          port,     = msg.get_unpack("n")
+          target    = msg.get_name
+          return self.new([priority, weight, port, target])
+        end
+      end
+    end
+  end
+end

data/lib/{Dnsruby → dnsruby}/resource/SSHFP.rb

@@ -1,18 +1,18 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License.
-#You may obtain a copy of the License at
-#
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
 #     http://www.apache.org/licenses/LICENSE-2.0
-#
-#Unless required by applicable law or agreed to in writing, software
-#distributed under the License is distributed on an "AS IS" BASIS,
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-#See the License for the specific language governing permissions and
-#limitations under the License.
-#++
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
 module Dnsruby
   class RR
     class SSHFP < RR

data/lib/dnsruby/resource/TKEY.rb

@@ -0,0 +1,163 @@
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+module Dnsruby
+
+  class Modes < CodeMapper
+    #  The key is assigned by the server (unimplemented)
+    SERVERASSIGNED		= 1
+
+    #  The key is computed using a Diffie-Hellman key exchange
+    DIFFIEHELLMAN		= 2
+
+    #  The key is computed using GSS_API (unimplemented)
+    GSSAPI			= 3
+
+    #  The key is assigned by the resolver (unimplemented)
+    RESOLVERASSIGNED	= 4
+
+    #  The key should be deleted
+    DELETE			= 5
+    update()
+  end
+
+  class RR
+    # RFC2930
+    class TKEY < RR
+      TypeValue = Types::TKEY #:nodoc: all
+      ClassValue = nil #:nodoc: all
+      ClassHash[[TypeValue, Classes::ANY]] = self #:nodoc: all
+
+      attr_reader :key_size
+      attr_accessor :key
+      # Gets or sets the domain name that specifies the name of the algorithm.
+      # The default algorithm is gss.microsoft.com
+      # 
+      #     rr.algorithm=(algorithm_name)
+      #     print "algorithm = ", rr.algorithm, "\n"
+      # 
+      attr_accessor :algorithm
+      # Gets or sets the inception time as the number of seconds since 1 Jan 1970
+      # 00:00:00 UTC.
+      # 
+      # The default inception time is the current time.
+      # 
+      #     rr.inception=(time)
+      #     print "inception = ", rr.inception, "\n"
+      # 
+      attr_accessor :inception
+      # Gets or sets the expiration time as the number of seconds since 1 Jan 1970
+      # 00:00:00 UTC.
+      # 
+      # The default expiration time is the current time plus 1 day.
+      # 
+      #     rr.expiration=(time)
+      #     print "expiration = ", rr.expiration, "\n"
+      # 
+      attr_accessor :expiration
+      # Sets the key mode (see rfc2930). The default is 3 which corresponds to GSSAPI
+      # 
+      #     rr.mode=(3)
+      #     print "mode = ", rr.mode, "\n"
+      # 
+      attr_accessor :mode
+      # Returns the RCODE covering TKEY processing.  See RFC 2930 for details.
+      # 
+      #     print "error = ", rr.error, "\n"
+      # 
+      attr_accessor :error
+      # Returns the length of the Other Data.  Should be zero.
+      # 
+      #     print "other size = ", rr.other_size, "\n"
+      # 
+      attr_reader :other_size
+      # Returns the Other Data.  This field should be empty.
+      # 
+      #     print "other data = ", rr.other_data, "\n"
+      # 
+      attr_reader :other_data
+
+      def other_data=(od)
+        @other_data=od
+        @other_size=@other_data.length
+      end
+
+      def initialize
+        @algorithm   = "gss.microsoft.com"
+        @inception   = Time.now
+        @expiration  = Time.now + 24*60*60
+        @mode        = Modes.GSSAPI
+        @error       = 0
+        @other_size   = 0
+        @other_data  = ""
+
+        #  RFC 2845 Section 2.3
+        @klass = Classes.ANY
+        #  RFC 2845 Section 2.3
+        @ttl = 0
+      end
+
+      def from_hash(hash)
+        super(hash)
+        if (algorithm)
+        @algorithm = Name.create(hash[:algorithm])
+        end
+      end
+
+      def from_data(data) #:nodoc: all
+        @algorithm, @inception, @expiration, @mode, @error, @key_size, @key, @other_size, @other_data = data
+      end
+
+      #  Create the RR from a standard string
+      def from_string(string) #:nodoc: all
+        Dnsruby.log.error("Dnsruby::RR::TKEY#from_string called, but no text format defined for TKEY")
+      end
+
+      def rdata_to_string
+        rdatastr=""
+
+        if (@algorithm!=nil)
+          error = @error
+          error = "UNDEFINED" unless error!=nil
+          rdatastr = "#{@algorithm.to_s(true)} #{error}"
+          if (@other_size != nil && @other_size >0 && @other_data!=nil)
+            rdatastr += " #{@other_data}"
+          end
+        end
+
+        return rdatastr
+      end
+
+      def encode_rdata(msg, canonical=false) #:nodoc: all
+        msg.put_name(@algorithm, canonical)
+        msg.put_pack("NNnn", @inception, @expiration, @mode, @error)
+        msg.put_pack("n", @key.length)
+        msg.put_bytes(@key)
+        msg.put_pack("n", @other_data.length)
+        msg.put_bytes(@other_data)
+      end
+
+      def self.decode_rdata(msg) #:nodoc: all
+        alg=msg.get_name
+        inc, exp, mode, error  = msg.get_unpack("NNnn")
+        key_size, =msg.get_unpack("n")
+        key=msg.get_bytes(key_size)
+        other_size, =msg.get_unpack("n")
+        other=msg.get_bytes(other_size)
+        return self.new([alg, inc, exp, mode, error, key_size, key, other_size, other])
+      end
+    end
+  end
+end

data/lib/dnsruby/resource/TSIG.rb

@@ -0,0 +1,593 @@
+# --
+# Copyright 2007 Nominet UK
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ++
+# require 'base64'
+begin
+require 'openssl'
+rescue LoadError
+  print "OpenSSL not found - ignoring\n"
+end
+module Dnsruby
+  class RR
+    # TSIG implements RFC2845.
+    # 
+    # "This protocol allows for transaction level authentication using
+    # shared secrets and one way hashing.  It can be used to authenticate
+    # dynamic updates as coming from an approved client, or to authenticate
+    # responses as coming from an approved recursive name server."
+    # 
+    # A Dnsruby::RR::TSIG can represent the data present in a TSIG RR.
+    # However, it can also represent the data (specified in RFC2845) used
+    # to sign or verify a DNS message.
+    # 
+    # 
+    # Example code :
+    #     res = Dnsruby::Resolver.new("ns0.validation-test-servers.nominet.org.uk")
+    # 
+    #     # Now configure the resolver with the TSIG key for signing/verifying
+    #     KEY_NAME="rubytsig"
+    #     KEY = "8n6gugn4aJ7MazyNlMccGKH1WxD2B3UvN/O/RA6iBupO2/03u9CTa3Ewz3gBWTSBCH3crY4Kk+tigNdeJBAvrw=="
+    #     res.tsig=KEY_NAME, KEY
+    # 
+    #     update = Dnsruby::Update.new("validation-test-servers.nominet.org.uk")
+    #     # Generate update record name, and test it has been made. Then delete it and check it has been deleted
+    #     update_name = generate_update_name
+    #     update.absent(update_name)
+    #     update.add(update_name, 'TXT', 100, "test signed update")
+    # 
+    #     # Resolver will automatically sign message and verify response
+    #     response = res.send_message(update)
+    #     assert(response.verified?) # Check that the response has been verified
+    class TSIG < RR
+      HMAC_MD5 = Name.create("HMAC-MD5.SIG-ALG.REG.INT.")
+      HMAC_SHA1 = Name.create("hmac-sha1.")
+      HMAC_SHA256 = Name.create("hmac-sha256.")
+
+      DEFAULT_FUDGE     = 300
+
+      DEFAULT_ALGORITHM = HMAC_MD5
+
+      # Generates a TSIG record and adds it to the message.
+      # Takes an optional original_request argument for the case where this is
+      # a response to a query (RFC2845 3.4.1)
+      # 
+      # Message#tsigstate will be set to :Signed.
+      def apply(message, original_request=nil)
+        if (!message.signed?)
+          tsig_rr = generate(message, original_request)
+          message.add_additional(tsig_rr)
+          message.tsigstate = :Signed
+          @query = message
+          tsig_rr.query = message
+        end
+      end
+
+      def query=q#:nodoc: all
+        @query = q
+      end
+
+
+      # Generates a TSIG record
+      def generate(msg, original_request = nil, data="", msg_bytes=nil, tsig_rr=self)#:nodoc: all
+        time_signed=@time_signed
+        if (!time_signed)
+          time_signed=Time.now.to_i
+        end
+        if (tsig_rr.time_signed)
+          time_signed = tsig_rr.time_signed
+        end
+
+        if (original_request)
+          # 	# Add the request MAC if present (used to validate responses).
+          # 	  hmac.update(pack("H*", request_mac))
+          mac_bytes = MessageEncoder.new {|m|
+            m.put_pack('n', original_request.tsig.mac_size)
+            m.put_bytes(original_request.tsig.mac)
+          }.to_s
+          data  += mac_bytes
+          #  Original ID - should we set message ID to original ID?
+          if (tsig_rr != self)
+            msg.header.id = tsig_rr.original_id
+          else
+            msg.header.id = original_request.header.id
+          end
+        end
+
+        if (!msg_bytes)
+          msg_bytes = msg.encode
+          data += msg_bytes
+        else
+          #  If msg_bytes came in, we need somehow to remove the TSIG RR
+          #  It is the last record, so we can strip it if we know where it starts
+          #  We must also poke the header ARcount to decrement it
+          msg_bytes = Header.decrement_arcount_encoded(msg_bytes)
+          data += msg_bytes[0, msg.tsigstart]
+        end
+
+        data += sig_data(tsig_rr, time_signed)
+
+        mac = calculate_mac(tsig_rr.algorithm, data)
+
+        mac_size = mac.length
+
+        new_tsig_rr = Dnsruby::RR.create({
+            :name        => tsig_rr.name,
+            :type        => Types.TSIG,
+            :ttl         => tsig_rr.ttl,
+            :klass       => tsig_rr.klass,
+            :algorithm   => tsig_rr.algorithm,
+            :fudge       => tsig_rr.fudge,
+            :key         => @key,
+            :mac         => mac,
+            :mac_size    => mac_size,
+            :error       => tsig_rr.error,
+            :time_signed => time_signed,
+            :original_id => msg.header.id
+          })
+        return new_tsig_rr
+
+      end
+
+      def calculate_mac(algorithm, data)
+        mac=nil
+# + if (key_size > max_digest_len) {
+# +   EVP_DigestInit(&ectx, digester);
+# +   EVP_DigestUpdate(&ectx, (const void*) key_bytes, key_size);
+# +   EVP_DigestFinal(&ectx, key_bytes, NULL);
+# +   key_size = max_digest_len;
+# + }
+        key = @key.gsub(" ", "")
+ #        key = Base64::decode64(key)
+        key = key.unpack("m*")[0]
+        if (algorithm.to_s.downcase == HMAC_MD5.to_s.downcase)
+          mac = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, key, data)
+        elsif (algorithm == HMAC_SHA1)
+          mac = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, key, data)
+        elsif (algorithm == HMAC_SHA256)
+          mac = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, key, data)
+        else
+          #  Should we allow client to pass in their own signing function?
+          raise VerifyError.new("Algorithm #{algorithm} unsupported by TSIG")
+        end
+        return mac
+      end
+
+      #  Private method to return the TSIG RR data to be signed
+      def sig_data(tsig_rr, time_signed=@time_signed) #:nodoc: all
+        return MessageEncoder.new { |msg|
+          msg.put_name(tsig_rr.name.downcase, true)
+          msg.put_pack('nN', tsig_rr.klass.code, tsig_rr.ttl)
+          msg.put_name(tsig_rr.algorithm.downcase, true)
+
+          time_high = (time_signed >> 32)
+          time_low = (time_signed & 0xFFFFFFFF)
+          msg.put_pack('nN', time_high, time_low)
+          msg.put_pack('n', tsig_rr.fudge)
+          msg.put_pack('n', tsig_rr.error)
+          msg.put_pack('n', tsig_rr.other_size)
+          msg.put_bytes(tsig_rr.other_data)
+        }.to_s
+      end
+
+      # Verify a response. This method will be called by Dnsruby::SingleResolver
+      # before passing a response to the client code.
+      # The TSIG record will be removed from packet before passing to client, and
+      # the Message#tsigstate and Message#tsigerror will be set accordingly.
+      # Message#tsigstate will be set to one of :
+      # *  :Failed
+      # *  :Verified
+      def verify(query, response, response_bytes, buf="")
+        #         4.6. Client processing of answer
+        # 
+        #    When a client receives a response from a server and expects to see a
+        #    TSIG, it first checks if the TSIG RR is present in the response.
+        #    Otherwise, the response is treated as having a format error and
+        #    discarded.  The client then extracts the TSIG, adjusts the ARCOUNT,
+        #    and calculates the keyed digest in the same way as the server.  If
+        #    the TSIG does not validate, that response MUST be discarded, unless
+        #    the RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to
+        #    verify the response as if it were a TSIG Error response, as specified
+        #    in [4.3].  A message containing an unsigned TSIG record or a TSIG
+        #    record which fails verification SHOULD not be considered an
+        #    acceptable response; the client SHOULD log an error and continue to
+        #    wait for a signed response until the request times out.
+
+        #  So, this verify method should simply remove the TSIG RR and calculate
+        #  the MAC (using original request MAC if required).
+        #  Should set tsigstate on packet appropriately, and return error.
+        #  Side effect is packet is stripped of TSIG.
+        #  Resolver (or client) can then decide what to do...
+
+        msg_tsig_rr = response.tsig
+        if (!verify_common(response))
+          return false
+        end
+
+        new_msg_tsig_rr = generate(response, query, buf, response_bytes, msg_tsig_rr)
+
+        if (msg_tsig_rr.mac == new_msg_tsig_rr.mac)
+          response.tsigstate = :Verified
+          response.tsigerror = RCode.NOERROR
+          return true
+        else
+          response.tsigstate = :Failed
+          response.tsigerror = RCode.BADSIG
+          return false
+        end
+      end
+
+      def verify_common(response)#:nodoc: all
+        tsig_rr = response.tsig
+
+	if (!tsig_rr)
+          response.tsigerror = RCode.FORMERR
+          response.tsigstate = :Failed
+          return false
+        end
+
+        response.additional.delete(tsig_rr)
+        response.header.arcount-=1
+
+        #  First, check the TSIG error in the RR
+        if (tsig_rr.error != RCode.NOERROR)
+          response.tsigstate = :Failed
+          response.tsigerror = tsig_rr.error
+          return false
+        end
+
+	if ((tsig_rr.name != @name) || (tsig_rr.algorithm.downcase != @algorithm.downcase))
+          Dnsruby.log.error("BADKEY failure")
+          response.tsigstate = :Failed
+          response.tsigerror = RCode.BADKEY
+          return false
+        end
+
+        #  Check time_signed (RFC2845, 4.5.2) - only really necessary for server
+        if (Time.now.to_i > tsig_rr.time_signed + tsig_rr.fudge  ||
+              Time.now.to_i < tsig_rr.time_signed - tsig_rr.fudge)
+          Dnsruby.log.error("TSIG failed with BADTIME")
+          response.tsigstate = :Failed
+          response.tsigerror = RCode.BADTIME
+          return false
+        end
+
+        return true
+      end
+
+      # Checks TSIG signatures across sessions of multiple DNS envelopes.
+      # This method is called each time a new envelope comes in. The envelope
+      # is checked - if a TSIG is present, them the stream so far is verified,
+      # and the response#tsigstate set to :Verified. If a TSIG is not present,
+      # and does not need to be present, then the message is added to the digest
+      # stream and the response#tsigstate is set to :Intermediate.
+      # If there is an error with the TSIG verification, then the response#tsigstate
+      # is set to :Failed.
+      # Like verify, this method will only be called by the Dnsruby::SingleResolver
+      # class. Client code need not call this method directly.
+      def verify_envelope(response, response_bytes)
+        # RFC2845 Section 4.4
+        # -----
+        # A DNS TCP session can include multiple DNS envelopes.  This is, for
+        # example, commonly used by zone transfer.  Using TSIG on such a
+        # connection can protect the connection from hijacking and provide data
+        # integrity.  The TSIG MUST be included on the first and last DNS
+        # envelopes.  It can be optionally placed on any intermediary
+        # envelopes.  It is expensive to include it on every envelopes, but it
+        # MUST be placed on at least every 100'th envelope.  The first envelope
+        # is processed as a standard answer, and subsequent messages have the
+        # following digest components:
+        # 
+        # *   Prior Digest (running)
+        # *   DNS Messages (any unsigned messages since the last TSIG)
+        # *   TSIG Timers (current message)
+        # 
+        # This allows the client to rapidly detect when the session has been
+        # altered; at which point it can close the connection and retry.  If a
+        # client TSIG verification fails, the client MUST close the connection.
+        # If the client does not receive TSIG records frequently enough (as
+        # specified above) it SHOULD assume the connection has been hijacked
+        # and it SHOULD close the connection.  The client SHOULD treat this the
+        # same way as they would any other interrupted transfer (although the
+        # exact behavior is not specified).
+        # -----
+        # 
+        #  Each time a new envelope comes in, this method is called on the QUERY TSIG RR.
+        #  It will set the response tsigstate to :Verified :Intermediate or :Failed
+        #  as appropriate.
+
+        #  Keep digest going of messages as they come in (and mark them intermediate)
+        #  When TSIG comes in, work out what key should be and check. If OK, mark
+        #  verified. Can reset digest then.
+        if (!@buf)
+          @num_envelopes = 0
+          @last_signed = 0
+        end
+        @num_envelopes += 1
+        if (!response.tsig)
+          if ((@num_envelopes > 1) && (@num_envelopes - @last_signed < 100))
+            Dnsruby.log.debug("Receiving intermediate envelope in TSIG TCP session")
+            response.tsigstate = :Intermediate
+            response.tsigerror = RCode.NOERROR
+            @buf = @buf + response_bytes
+            return
+          else
+            response.tsigstate = :Failed
+            Dnsruby.log.error("Expecting signed packet")
+            return false
+          end
+        end
+        @last_signed = @num_envelopes
+
+        #  We have a TSIG - process it!
+        tsig = response.tsig
+        if (@num_envelopes == 1)
+          Dnsruby.log.debug("First response in TSIG TCP session - verifying normally")
+          #  Process it as a standard answer
+          ok = verify(@query, response, response_bytes)
+          if (ok)
+            mac_bytes = MessageEncoder.new {|m|
+              m.put_pack('n', tsig.mac_size)
+              m.put_bytes(tsig.mac)
+            }.to_s
+            @buf = mac_bytes
+          end
+          return ok
+        end
+        Dnsruby.log.debug("Processing TSIG on TSIG TCP session")
+
+        if (!verify_common(response))
+          return false
+        end
+
+        #  Now add the current message data - remember to frig the arcount
+        response_bytes = Header.decrement_arcount_encoded(response_bytes)
+        @buf += response_bytes[0, response.tsigstart]
+
+        #  Let's add the timers
+        timers_data = MessageEncoder.new { |msg|
+          time_high = (tsig.time_signed >> 32)
+          time_low = (tsig.time_signed & 0xFFFFFFFF)
+          msg.put_pack('nN', time_high, time_low)
+          msg.put_pack('n', tsig.fudge)
+        }.to_s
+        @buf += timers_data
+
+        mac = calculate_mac(tsig.algorithm, @buf)
+
+        if (mac != tsig.mac)
+          Dnsruby.log.error("TSIG Verify error on TSIG TCP session")
+          response.tsigstate = :Failed
+          return false
+        end
+        mac_bytes = MessageEncoder.new {|m|
+          m.put_pack('n', mac.length)
+          m.put_bytes(mac)
+        }.to_s
+        @buf=mac_bytes
+
+        response.tsigstate = :Verified
+        response.tsigerror = RCode.NOERROR
+        return true
+      end
+
+
+      TypeValue = Types::TSIG #:nodoc: all
+      ClassValue = nil #:nodoc: all
+      ClassHash[[TypeValue, Classes::ANY]] = self #:nodoc: all
+
+      # Gets or sets the domain name that specifies the name of the algorithm.
+      # The only algorithms currently supported are hmac-md5 and hmac-sha1.
+      # 
+      #     rr.algorithm=(algorithm_name)
+      #     print "algorithm = ", rr.algorithm, "\n"
+      # 
+      attr_reader :algorithm
+
+      # Gets or sets the signing time as the number of seconds since 1 Jan 1970
+      # 00:00:00 UTC.
+      # 
+      # The default signing time is the current time.
+      # 
+      #     rr.time_signed=(time)
+      #     print "time signed = ", rr.time_signed, "\n"
+      # 
+      attr_accessor :time_signed
+
+      # Gets or sets the "fudge", i.e., the seconds of error permitted in the
+      # signing time.
+      # 
+      # The default fudge is 300 seconds.
+      # 
+      #     rr.fudge=(60)
+      #     print "fudge = ", rr.fudge, "\n"
+      # 
+      attr_reader :fudge
+
+      # Returns the number of octets in the message authentication code (MAC).
+      # The programmer must call a Net::DNS::Packet object's data method
+      # before this will return anything meaningful.
+      # 
+      #     print "MAC size = ", rr.mac_size, "\n"
+      # 
+      attr_accessor :mac_size
+
+      # Returns the message authentication code (MAC) as a string of hex
+      # characters.  The programmer must call a Net::DNS::Packet object's
+      # data method before this will return anything meaningful.
+      # 
+      #     print "MAC = ", rr.mac, "\n"
+      # 
+      attr_accessor :mac
+
+      # Gets or sets the original message ID.
+      # 
+      #     rr.original_id(12345)
+      #     print "original ID = ", rr.original_id, "\n"
+      # 
+      attr_accessor :original_id
+
+      # Returns the RCODE covering TSIG processing.  Common values are
+      # NOERROR, BADSIG, BADKEY, and BADTIME.  See RFC 2845 for details.
+      # 
+      #     print "error = ", rr.error, "\n"
+      # 
+      attr_accessor :error
+
+      # Returns the length of the Other Data.  Should be zero unless the
+      # error is BADTIME.
+      # 
+      #     print "other len = ", rr.other_size, "\n"
+      # 
+      attr_accessor :other_size
+
+      # Returns the Other Data.  This field should be empty unless the
+      # error is BADTIME, in which case it will contain the server's
+      # time as the number of seconds since 1 Jan 1970 00:00:00 UTC.
+      # 
+      #     print "other data = ", rr.other_data, "\n"
+      # 
+      attr_accessor :other_data
+
+      # Stores the secret key used for signing/verifying messages.
+      attr_accessor :key
+
+      def init_defaults
+        #  @TODO@ Have new() method which takes key_name and key?
+        @algorithm   = DEFAULT_ALGORITHM
+        @fudge       = DEFAULT_FUDGE
+        @mac_size    = 0
+        @mac         = ""
+        @original_id = rand(65536)
+        @error       = 0
+        @other_size   = 0
+        @other_data  = ""
+        @time_signed = nil
+        @buf = nil
+
+        #  RFC 2845 Section 2.3
+        @klass = Classes.ANY
+
+        @ttl = 0 # RFC 2845 Section 2.3
+      end
+
+      def from_data(data) #:nodoc: all
+        @algorithm, @time_signed, @fudge, @mac_size, @mac, @original_id, @error, @other_size, @other_data = data
+      end
+
+      def name=(n)
+        if (n.instance_of?String)
+          n = Name.create(n)
+        end
+        if (!n.absolute?)
+          @name = Name.create(n.to_s + ".")
+        else
+          @name = n
+        end
+      end
+
+      #  Create the RR from a standard string
+      def from_string(str) #:nodoc: all
+        parts = str.split("[:/]")
+        if (parts.length < 2 || parts.length > 3)
+          raise ArgumentException.new("Invalid TSIG key specification")
+        end
+        if (parts.length == 3)
+          return TSIG.new(parts[0], parts[1], parts[2]);
+        else
+          return TSIG.new(HMAC_MD5, parts[0], parts[1]);
+        end
+      end
+
+      # Set the algorithm to use to generate the HMAC
+      # Supported values are :
+      # * hmac-md5
+      # * hmac-sha1
+      # * hmac-sha256
+      def algorithm=(alg)
+        if (alg.class == String)
+          if (alg.downcase=="hmac-md5")
+            @algorithm = HMAC_MD5;
+          elsif (alg.downcase=="hmac-sha1")
+            @algorithm = HMAC_SHA1;
+          elsif (alg.downcase=="hmac-sha256")
+            @algorithm = HMAC_SHA256;
+          else
+            raise ArgumentError.new("Invalid TSIG algorithm")
+          end
+        elsif (alg.class == Name)
+          if (alg!=HMAC_MD5 && alg!=HMAC_SHA1 && alg!=HMAC_SHA256)
+            raise ArgumentException.new("Invalid TSIG algorithm")
+          end
+          @algorithm=alg
+        else
+          raise ArgumentError.new("#{alg.class} not valid type for Dnsruby::RR::TSIG#algorithm=  - use String or Name")
+        end
+        Dnsruby.log.debug{"Using #{@algorithm.to_s} algorithm"}
+      end
+
+      def fudge=(f)
+        if (f < 0 || f > 0x7FFF)
+          @fudge = DEFAULT_FUDGE
+        else
+          @fudge = f
+        end
+      end
+
+      def rdata_to_string
+        rdatastr=""
+        if (@algorithm!=nil)
+          error = @error
+          error = "UNDEFINED" unless error!=nil
+          rdatastr = "#{@original_id} #{@time_signed} #{@algorithm.to_s(true)} #{error}";
+          if (@other_size > 0 && @other_data!=nil)
+            rdatastr += " #{@other_data}"
+          end
+          rdatastr += " " + mac.unpack("H*").to_s
+        end
+
+        return rdatastr
+      end
+
+      def encode_rdata(msg, canonical=false) #:nodoc: all
+        #  Name needs to be added with no compression - done in Dnsruby::Message#encode
+        msg.put_name(@algorithm.downcase, true)
+        time_high = (@time_signed >> 32)
+        time_low = (@time_signed & 0xFFFFFFFF)
+        msg.put_pack('nN', time_high, time_low)
+        msg.put_pack('n', @fudge)
+        msg.put_pack('n', @mac_size)
+        msg.put_bytes(@mac)
+        msg.put_pack('n', @original_id)
+        msg.put_pack('n', @error)
+        msg.put_pack('n', @other_size)
+        msg.put_bytes(@other_data)
+      end
+
+      def self.decode_rdata(msg) #:nodoc: all
+        alg=msg.get_name
+        time_high, time_low = msg.get_unpack("nN")
+        time_signed = (time_high << 32) + time_low
+        fudge, = msg.get_unpack("n")
+        mac_size, = msg.get_unpack("n")
+        mac = msg.get_bytes(mac_size)
+        original_id, = msg.get_unpack("n")
+        error, = msg.get_unpack("n")
+        other_size, = msg.get_unpack("n")
+        other_data = msg.get_bytes(other_size)
+        return self.new([alg, time_signed, fudge, mac_size, mac, original_id, error, other_size, other_data])
+      end
+    end
+  end
+end