dnsruby 1.55 → 1.56.0

data/lib/Dnsruby/resource/SPF.rb

@@ -1,29 +0,0 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License. 
-#You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0 
-#
-#Unless required by applicable law or agreed to in writing, software 
-#distributed under the License is distributed on an "AS IS" BASIS, 
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
-#See the License for the specific language governing permissions and 
-#limitations under the License.
-#++
-module Dnsruby
-  class RR
-    #DNS SPF resource record
-    
-    #This is a clone of the TXT record. This class therfore completely inherits
-    #all properties of the Dnsruby::Resource::TXT class.
-    #
-    #Please see the Dnsruby::Resource::TXT documentation for details
-    #RFC 1035 Section 3.3.14, draft-schlitt-ospf-classic-02.txt
-    class SPF < TXT
-      TypeValue = Types::SPF #:nodoc: all
-    end
-  end
-end

data/lib/Dnsruby/resource/SRV.rb

@@ -1,112 +0,0 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License. 
-#You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0 
-#
-#Unless required by applicable law or agreed to in writing, software 
-#distributed under the License is distributed on an "AS IS" BASIS, 
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
-#See the License for the specific language governing permissions and 
-#limitations under the License.
-#++
-module Dnsruby
-  class RR
-    module IN
-      # SRV resource record defined in RFC 2782
-      # 
-      # These records identify the hostname and port that a service is
-      # available at.
-      # 
-      # The format is:
-      #   _Service._Proto.Name TTL Class SRV Priority Weight Port Target
-      #
-      # The fields specific to SRV are defined in RFC 2782
-      class SRV < RR
-        ClassHash[[TypeValue = Types::SRV, ClassValue = ClassValue]] = self #:nodoc: all
-        
-        # The priority of this target host.  
-        # A client MUST attempt
-        # to contact the target host with the lowest-numbered priority it can
-        # reach; target hosts with the same priority SHOULD be tried in an
-        # order defined by the weight field.  The range is 0-65535.  Note that
-        # it is not widely implemented and should be set to zero.
-        attr_accessor :priority
-
-        # A server selection mechanism.  
-        # The weight field specifies
-        # a relative weight for entries with the same priority. Larger weights
-        # SHOULD be given a proportionately higher probability of being
-        # selected. The range of this number is 0-65535.  Domain administrators
-        # SHOULD use Weight 0 when there isn't any server selection to do, to
-        # make the RR easier to read for humans (less noisy). Note that it is
-        # not widely implemented and should be set to zero.
-        attr_accessor :weight
-
-        # The port on this target host of this service.  The range is 0-65535.
-        attr_accessor :port
-        
-        # The domain name of the target host. A target of "." means
-        # that the service is decidedly not available at this domain.
-        attr_accessor :target
-        
-        def from_data(data) #:nodoc: all
-          @priority, @weight, @port, @target = data
-        end
-        
-        def from_hash(hash)
-          if hash[:priority]
-            @priority = hash[:priority].to_i
-          end
-          if hash[:weight]
-            @weight = hash[:weight].to_i
-          end
-          if hash[:port]
-            @port = hash[:port].to_i
-          end
-          if hash[:target]
-            @target= Name.create(hash[:target])
-          end
-        end
-        
-        def from_string(input)
-          if (input.length > 0)
-            names = input.split(" ")
-            @priority = names[0].to_i
-            @weight = names[1].to_i
-            @port = names[2].to_i
-            if (names[3])
-              @target = Name.create(names[3])
-            end
-          end
-        end
-        
-        def rdata_to_string
-          if (@target!=nil)
-            return "#{@priority} #{@weight} #{@port} #{@target.to_s(true)}"
-          else
-            return ""
-          end
-        end
-        
-        def encode_rdata(msg, canonical=false) #:nodoc: all
-          msg.put_pack("n", @priority)
-          msg.put_pack("n", @weight)
-          msg.put_pack("n", @port)
-          msg.put_name(@target,canonical)
-        end
-        
-        def self.decode_rdata(msg) #:nodoc: all
-          priority, = msg.get_unpack("n")
-          weight,   = msg.get_unpack("n")
-          port,     = msg.get_unpack("n")
-          target    = msg.get_name
-          return self.new([priority, weight, port, target])
-        end
-      end 
-    end
-  end
-end

data/lib/Dnsruby/resource/TKEY.rb

@@ -1,163 +0,0 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License. 
-#You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0 
-#
-#Unless required by applicable law or agreed to in writing, software 
-#distributed under the License is distributed on an "AS IS" BASIS, 
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
-#See the License for the specific language governing permissions and 
-#limitations under the License.
-#++
-module Dnsruby
-  
-  class Modes < CodeMapper
-    # The key is assigned by the server (unimplemented)
-    SERVERASSIGNED		= 1
-    
-    # The key is computed using a Diffie-Hellman key exchange
-    DIFFIEHELLMAN		= 2
-    
-    # The key is computed using GSS_API (unimplemented)
-    GSSAPI			= 3
-    
-    # The key is assigned by the resolver (unimplemented)
-    RESOLVERASSIGNED	= 4
-    
-    # The key should be deleted
-    DELETE			= 5
-    update()
-  end
-  
-  class RR
-    #RFC2930
-    class TKEY < RR
-      TypeValue = Types::TKEY #:nodoc: all
-      ClassValue = nil #:nodoc: all
-      ClassHash[[TypeValue, Classes::ANY]] = self #:nodoc: all
-      
-      attr_reader :key_size
-      attr_accessor :key
-      #Gets or sets the domain name that specifies the name of the algorithm.
-      #The default algorithm is gss.microsoft.com
-      #
-      #    rr.algorithm=(algorithm_name)
-      #    print "algorithm = ", rr.algorithm, "\n"
-      #
-      attr_accessor :algorithm
-      #Gets or sets the inception time as the number of seconds since 1 Jan 1970
-      #00:00:00 UTC.
-      #
-      #The default inception time is the current time.
-      #
-      #    rr.inception=(time)
-      #    print "inception = ", rr.inception, "\n"
-      #
-      attr_accessor :inception
-      #Gets or sets the expiration time as the number of seconds since 1 Jan 1970
-      #00:00:00 UTC.
-      #
-      #The default expiration time is the current time plus 1 day.
-      #
-      #    rr.expiration=(time)
-      #    print "expiration = ", rr.expiration, "\n"
-      #
-      attr_accessor :expiration
-      #Sets the key mode (see rfc2930). The default is 3 which corresponds to GSSAPI
-      #
-      #    rr.mode=(3)
-      #    print "mode = ", rr.mode, "\n"
-      #
-      attr_accessor :mode
-      #Returns the RCODE covering TKEY processing.  See RFC 2930 for details.
-      #
-      #    print "error = ", rr.error, "\n"
-      #
-      attr_accessor :error
-      #Returns the length of the Other Data.  Should be zero.
-      #
-      #    print "other size = ", rr.other_size, "\n"
-      #
-      attr_reader :other_size
-      #Returns the Other Data.  This field should be empty.
-      #
-      #    print "other data = ", rr.other_data, "\n"
-      #
-      attr_reader :other_data
-      
-      def other_data=(od)
-        @other_data=od
-        @other_size=@other_data.length
-      end
-      
-      def initialize
-        @algorithm   = "gss.microsoft.com"
-        @inception   = Time.now
-        @expiration  = Time.now + 24*60*60
-        @mode        = Modes.GSSAPI
-        @error       = 0
-        @other_size   = 0
-        @other_data  = ""
-        
-        # RFC 2845 Section 2.3
-        @klass = Classes.ANY
-        # RFC 2845 Section 2.3
-        @ttl = 0 
-      end
-      
-      def from_hash(hash)
-        super(hash)
-        if (algorithm)
-        @algorithm = Name.create(hash[:algorithm])
-        end
-      end
-      
-      def from_data(data) #:nodoc: all
-        @algorithm, @inception, @expiration, @mode, @error, @key_size, @key, @other_size, @other_data = data
-      end
-      
-      # Create the RR from a standard string
-      def from_string(string) #:nodoc: all
-        Dnsruby.log.error("Dnsruby::RR::TKEY#from_string called, but no text format defined for TKEY")
-      end
-      
-      def rdata_to_string     
-        rdatastr=""
-        
-        if (@algorithm!=nil)
-          error = @error
-          error = "UNDEFINED" unless error!=nil
-          rdatastr = "#{@algorithm.to_s(true)} #{error}"
-          if (@other_size != nil && @other_size >0 && @other_data!=nil)
-            rdatastr += " #{@other_data}"
-          end
-        end
-        
-        return rdatastr
-      end
-      
-      def encode_rdata(msg, canonical=false) #:nodoc: all
-        msg.put_name(@algorithm, canonical)
-        msg.put_pack("NNnn", @inception, @expiration, @mode, @error)
-        msg.put_pack("n", @key.length)
-        msg.put_bytes(@key)
-        msg.put_pack("n", @other_data.length)
-        msg.put_bytes(@other_data)
-      end
-      
-      def self.decode_rdata(msg) #:nodoc: all
-        alg=msg.get_name
-        inc, exp, mode, error  = msg.get_unpack("NNnn")
-        key_size, =msg.get_unpack("n")
-        key=msg.get_bytes(key_size)
-        other_size, =msg.get_unpack("n")
-        other=msg.get_bytes(other_size)
-        return self.new([alg, inc, exp, mode, error, key_size, key, other_size, other])
-      end
-    end
-  end   
-end

data/lib/Dnsruby/resource/TSIG.rb

@@ -1,593 +0,0 @@
-#--
-#Copyright 2007 Nominet UK
-#
-#Licensed under the Apache License, Version 2.0 (the "License");
-#you may not use this file except in compliance with the License. 
-#You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0 
-#
-#Unless required by applicable law or agreed to in writing, software 
-#distributed under the License is distributed on an "AS IS" BASIS, 
-#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 
-#See the License for the specific language governing permissions and 
-#limitations under the License.
-#++
-#require 'base64'
-begin
-require 'openssl'
-rescue LoadError
-  print "OpenSSL not found - ignoring\n"
-end
-module Dnsruby
-  class RR
-    #TSIG implements RFC2845.
-    #
-    #"This protocol allows for transaction level authentication using
-    #shared secrets and one way hashing.  It can be used to authenticate
-    #dynamic updates as coming from an approved client, or to authenticate
-    #responses as coming from an approved recursive name server."
-    #
-    #A Dnsruby::RR::TSIG can represent the data present in a TSIG RR.
-    #However, it can also represent the data (specified in RFC2845) used
-    #to sign or verify a DNS message.
-    #
-    #
-    #Example code :
-    #    res = Dnsruby::Resolver.new("ns0.validation-test-servers.nominet.org.uk")
-    #    
-    #    # Now configure the resolver with the TSIG key for signing/verifying
-    #    KEY_NAME="rubytsig"
-    #    KEY = "8n6gugn4aJ7MazyNlMccGKH1WxD2B3UvN/O/RA6iBupO2/03u9CTa3Ewz3gBWTSBCH3crY4Kk+tigNdeJBAvrw=="
-    #    res.tsig=KEY_NAME, KEY
-    #    
-    #    update = Dnsruby::Update.new("validation-test-servers.nominet.org.uk")
-    #    # Generate update record name, and test it has been made. Then delete it and check it has been deleted
-    #    update_name = generate_update_name
-    #    update.absent(update_name)
-    #    update.add(update_name, 'TXT', 100, "test signed update")
-    #    
-    #    # Resolver will automatically sign message and verify response
-    #    response = res.send_message(update)
-    #    assert(response.verified?) # Check that the response has been verified
-    class TSIG < RR
-      HMAC_MD5 = Name.create("HMAC-MD5.SIG-ALG.REG.INT.")
-      HMAC_SHA1 = Name.create("hmac-sha1.")
-      HMAC_SHA256 = Name.create("hmac-sha256.")
-      
-      DEFAULT_FUDGE     = 300
-      
-      DEFAULT_ALGORITHM = HMAC_MD5
-      
-      #Generates a TSIG record and adds it to the message.
-      #Takes an optional original_request argument for the case where this is
-      #a response to a query (RFC2845 3.4.1)
-      #
-      #Message#tsigstate will be set to :Signed.
-      def apply(message, original_request=nil)
-        if (!message.signed?)
-          tsig_rr = generate(message, original_request)
-          message.add_additional(tsig_rr)
-          message.tsigstate = :Signed
-          @query = message
-          tsig_rr.query = message
-        end
-      end
-      
-      def query=q#:nodoc: all
-        @query = q
-      end
-      
-      
-      #Generates a TSIG record
-      def generate(msg, original_request = nil, data="", msg_bytes=nil, tsig_rr=self)#:nodoc: all
-        time_signed=@time_signed
-        if (!time_signed)
-          time_signed=Time.now.to_i
-        end
-        if (tsig_rr.time_signed)
-          time_signed = tsig_rr.time_signed
-        end
-        
-        if (original_request)
-          #	# Add the request MAC if present (used to validate responses).
-          #	  hmac.update(pack("H*", request_mac))
-          mac_bytes = MessageEncoder.new {|m|
-            m.put_pack('n', original_request.tsig.mac_size)
-            m.put_bytes(original_request.tsig.mac)
-          }.to_s
-          data  += mac_bytes
-          # Original ID - should we set message ID to original ID?
-          if (tsig_rr != self)
-            msg.header.id = tsig_rr.original_id
-          else
-            msg.header.id = original_request.header.id
-          end
-        end
-        
-        if (!msg_bytes)
-          msg_bytes = msg.encode
-          data += msg_bytes
-        else
-          # If msg_bytes came in, we need somehow to remove the TSIG RR
-          # It is the last record, so we can strip it if we know where it starts
-          # We must also poke the header ARcount to decrement it
-          msg_bytes = Header.decrement_arcount_encoded(msg_bytes)
-          data += msg_bytes[0, msg.tsigstart]
-        end
-        
-        data += sig_data(tsig_rr, time_signed)
-        
-        mac = calculate_mac(tsig_rr.algorithm, data)
-        
-        mac_size = mac.length
-
-        new_tsig_rr = Dnsruby::RR.create({
-            :name        => tsig_rr.name,
-            :type        => Types.TSIG,
-            :ttl         => tsig_rr.ttl,
-            :klass       => tsig_rr.klass,
-            :algorithm   => tsig_rr.algorithm,
-            :fudge       => tsig_rr.fudge,
-            :key         => @key,
-            :mac         => mac,
-            :mac_size    => mac_size,
-            :error       => tsig_rr.error,
-            :time_signed => time_signed,
-            :original_id => msg.header.id
-          })
-        return new_tsig_rr
-        
-      end
-      
-      def calculate_mac(algorithm, data)
-        mac=nil
-#+ if (key_size > max_digest_len) {
-#+   EVP_DigestInit(&ectx, digester);
-#+   EVP_DigestUpdate(&ectx, (const void*) key_bytes, key_size);
-#+   EVP_DigestFinal(&ectx, key_bytes, NULL);
-#+   key_size = max_digest_len;
-#+ }
-        key = @key.gsub(" ", "")
- #       key = Base64::decode64(key)
-        key = key.unpack("m*")[0]
-        if (algorithm.to_s.downcase == HMAC_MD5.to_s.downcase)
-          mac = OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, key, data)
-        elsif (algorithm == HMAC_SHA1)
-          mac = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, key, data)
-        elsif (algorithm == HMAC_SHA256)
-          mac = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, key, data)
-        else
-          # Should we allow client to pass in their own signing function?
-          raise VerifyError.new("Algorithm #{algorithm} unsupported by TSIG")
-        end
-        return mac
-      end
-      
-      # Private method to return the TSIG RR data to be signed
-      def sig_data(tsig_rr, time_signed=@time_signed) #:nodoc: all
-        return MessageEncoder.new { |msg|
-          msg.put_name(tsig_rr.name.downcase, true)
-          msg.put_pack('nN', tsig_rr.klass.code, tsig_rr.ttl)
-          msg.put_name(tsig_rr.algorithm.downcase, true)
-          
-          time_high = (time_signed >> 32)
-          time_low = (time_signed & 0xFFFFFFFF)
-          msg.put_pack('nN', time_high, time_low)
-          msg.put_pack('n', tsig_rr.fudge)
-          msg.put_pack('n', tsig_rr.error)
-          msg.put_pack('n', tsig_rr.other_size)
-          msg.put_bytes(tsig_rr.other_data)
-        }.to_s
-      end
-      
-      #Verify a response. This method will be called by Dnsruby::SingleResolver
-      #before passing a response to the client code.
-      #The TSIG record will be removed from packet before passing to client, and
-      #the Message#tsigstate and Message#tsigerror will be set accordingly.
-      #Message#tsigstate will be set to one of :
-      #*  :Failed
-      #*  :Verified
-      def verify(query, response, response_bytes, buf="")
-        #        4.6. Client processing of answer
-        #
-        #   When a client receives a response from a server and expects to see a
-        #   TSIG, it first checks if the TSIG RR is present in the response.
-        #   Otherwise, the response is treated as having a format error and
-        #   discarded.  The client then extracts the TSIG, adjusts the ARCOUNT,
-        #   and calculates the keyed digest in the same way as the server.  If
-        #   the TSIG does not validate, that response MUST be discarded, unless
-        #   the RCODE is 9 (NOTAUTH), in which case the client SHOULD attempt to
-        #   verify the response as if it were a TSIG Error response, as specified
-        #   in [4.3].  A message containing an unsigned TSIG record or a TSIG
-        #   record which fails verification SHOULD not be considered an
-        #   acceptable response; the client SHOULD log an error and continue to
-        #   wait for a signed response until the request times out.
-
-        # So, this verify method should simply remove the TSIG RR and calculate
-        # the MAC (using original request MAC if required).
-        # Should set tsigstate on packet appropriately, and return error.
-        # Side effect is packet is stripped of TSIG.
-        # Resolver (or client) can then decide what to do...
-
-        msg_tsig_rr = response.tsig
-        if (!verify_common(response))
-          return false
-        end
-
-        new_msg_tsig_rr = generate(response, query, buf, response_bytes, msg_tsig_rr)
-        
-        if (msg_tsig_rr.mac == new_msg_tsig_rr.mac)
-          response.tsigstate = :Verified
-          response.tsigerror = RCode.NOERROR
-          return true
-        else
-          response.tsigstate = :Failed
-          response.tsigerror = RCode.BADSIG
-          return false
-        end
-      end
-      
-      def verify_common(response)#:nodoc: all
-        tsig_rr = response.tsig
-
-	if (!tsig_rr)
-          response.tsigerror = RCode.FORMERR
-          response.tsigstate = :Failed
-          return false
-        end
-
-        response.additional.delete(tsig_rr)
-        response.header.arcount-=1
-
-        # First, check the TSIG error in the RR
-        if (tsig_rr.error != RCode.NOERROR)
-          response.tsigstate = :Failed
-          response.tsigerror = tsig_rr.error
-          return false                    
-        end
-        
-	if ((tsig_rr.name != @name) || (tsig_rr.algorithm.downcase != @algorithm.downcase))
-          Dnsruby.log.error("BADKEY failure")
-          response.tsigstate = :Failed
-          response.tsigerror = RCode.BADKEY
-          return false          
-        end
-        
-        # Check time_signed (RFC2845, 4.5.2) - only really necessary for server
-        if (Time.now.to_i > tsig_rr.time_signed + tsig_rr.fudge  ||
-              Time.now.to_i < tsig_rr.time_signed - tsig_rr.fudge)
-          Dnsruby.log.error("TSIG failed with BADTIME")
-          response.tsigstate = :Failed
-          response.tsigerror = RCode.BADTIME
-          return false          
-        end
-        
-        return true
-      end
-      
-      #Checks TSIG signatures across sessions of multiple DNS envelopes.
-      #This method is called each time a new envelope comes in. The envelope
-      #is checked - if a TSIG is present, them the stream so far is verified, 
-      #and the response#tsigstate set to :Verified. If a TSIG is not present,
-      #and does not need to be present, then the message is added to the digest
-      #stream and the response#tsigstate is set to :Intermediate.
-      #If there is an error with the TSIG verification, then the response#tsigstate 
-      #is set to :Failed.
-      #Like verify, this method will only be called by the Dnsruby::SingleResolver
-      #class. Client code need not call this method directly.
-      def verify_envelope(response, response_bytes)
-        #RFC2845 Section 4.4
-        #-----
-        #A DNS TCP session can include multiple DNS envelopes.  This is, for
-        #example, commonly used by zone transfer.  Using TSIG on such a
-        #connection can protect the connection from hijacking and provide data
-        #integrity.  The TSIG MUST be included on the first and last DNS
-        #envelopes.  It can be optionally placed on any intermediary
-        #envelopes.  It is expensive to include it on every envelopes, but it
-        #MUST be placed on at least every 100'th envelope.  The first envelope
-        #is processed as a standard answer, and subsequent messages have the
-        #following digest components:
-        #
-        #*   Prior Digest (running)
-        #*   DNS Messages (any unsigned messages since the last TSIG)
-        #*   TSIG Timers (current message)
-        #
-        #This allows the client to rapidly detect when the session has been
-        #altered; at which point it can close the connection and retry.  If a
-        #client TSIG verification fails, the client MUST close the connection.
-        #If the client does not receive TSIG records frequently enough (as
-        #specified above) it SHOULD assume the connection has been hijacked
-        #and it SHOULD close the connection.  The client SHOULD treat this the
-        #same way as they would any other interrupted transfer (although the
-        #exact behavior is not specified).
-        #-----
-        #
-        # Each time a new envelope comes in, this method is called on the QUERY TSIG RR.
-        # It will set the response tsigstate to :Verified :Intermediate or :Failed
-        # as appropriate.
-        
-        # Keep digest going of messages as they come in (and mark them intermediate)
-        # When TSIG comes in, work out what key should be and check. If OK, mark 
-        # verified. Can reset digest then.
-        if (!@buf)
-          @num_envelopes = 0
-          @last_signed = 0
-        end
-        @num_envelopes += 1
-        if (!response.tsig)
-          if ((@num_envelopes > 1) && (@num_envelopes - @last_signed < 100))
-            Dnsruby.log.debug("Receiving intermediate envelope in TSIG TCP session")
-            response.tsigstate = :Intermediate
-            response.tsigerror = RCode.NOERROR
-            @buf = @buf + response_bytes
-            return
-          else
-            response.tsigstate = :Failed
-            Dnsruby.log.error("Expecting signed packet")
-            return false
-          end
-        end
-        @last_signed = @num_envelopes
-        
-        # We have a TSIG - process it!
-        tsig = response.tsig
-        if (@num_envelopes == 1)
-          Dnsruby.log.debug("First response in TSIG TCP session - verifying normally")
-          # Process it as a standard answer
-          ok = verify(@query, response, response_bytes)
-          if (ok)
-            mac_bytes = MessageEncoder.new {|m|
-              m.put_pack('n', tsig.mac_size)
-              m.put_bytes(tsig.mac)
-            }.to_s
-            @buf = mac_bytes
-          end
-          return ok
-        end
-        Dnsruby.log.debug("Processing TSIG on TSIG TCP session")
-
-        if (!verify_common(response))
-          return false
-        end
-        
-        # Now add the current message data - remember to frig the arcount
-        response_bytes = Header.decrement_arcount_encoded(response_bytes)
-        @buf += response_bytes[0, response.tsigstart]
-        
-        # Let's add the timers
-        timers_data = MessageEncoder.new { |msg|
-          time_high = (tsig.time_signed >> 32)
-          time_low = (tsig.time_signed & 0xFFFFFFFF)
-          msg.put_pack('nN', time_high, time_low)
-          msg.put_pack('n', tsig.fudge)
-        }.to_s
-        @buf += timers_data
-        
-        mac = calculate_mac(tsig.algorithm, @buf)
-
-        if (mac != tsig.mac)
-          Dnsruby.log.error("TSIG Verify error on TSIG TCP session")
-          response.tsigstate = :Failed
-          return false
-        end
-        mac_bytes = MessageEncoder.new {|m|
-          m.put_pack('n', mac.length)
-          m.put_bytes(mac)
-        }.to_s
-        @buf=mac_bytes
-
-        response.tsigstate = :Verified
-        response.tsigerror = RCode.NOERROR
-        return true
-      end
-
-            
-      TypeValue = Types::TSIG #:nodoc: all
-      ClassValue = nil #:nodoc: all
-      ClassHash[[TypeValue, Classes::ANY]] = self #:nodoc: all
-      
-      #Gets or sets the domain name that specifies the name of the algorithm.
-      #The only algorithms currently supported are hmac-md5 and hmac-sha1.
-      #
-      #    rr.algorithm=(algorithm_name)
-      #    print "algorithm = ", rr.algorithm, "\n"
-      #
-      attr_reader :algorithm
-      
-      #Gets or sets the signing time as the number of seconds since 1 Jan 1970
-      #00:00:00 UTC.
-      #
-      #The default signing time is the current time.
-      #
-      #    rr.time_signed=(time)
-      #    print "time signed = ", rr.time_signed, "\n"
-      #
-      attr_accessor :time_signed
-      
-      #Gets or sets the "fudge", i.e., the seconds of error permitted in the
-      #signing time.
-      #
-      #The default fudge is 300 seconds.
-      #
-      #    rr.fudge=(60)
-      #    print "fudge = ", rr.fudge, "\n"
-      #
-      attr_reader :fudge
-      
-      #Returns the number of octets in the message authentication code (MAC).
-      #The programmer must call a Net::DNS::Packet object's data method
-      #before this will return anything meaningful.
-      #
-      #    print "MAC size = ", rr.mac_size, "\n"
-      #
-      attr_accessor :mac_size
-      
-      #Returns the message authentication code (MAC) as a string of hex
-      #characters.  The programmer must call a Net::DNS::Packet object's
-      #data method before this will return anything meaningful.
-      #
-      #    print "MAC = ", rr.mac, "\n"
-      #
-      attr_accessor :mac
-      
-      #Gets or sets the original message ID.
-      #
-      #    rr.original_id(12345)
-      #    print "original ID = ", rr.original_id, "\n"
-      #
-      attr_accessor :original_id
-      
-      #Returns the RCODE covering TSIG processing.  Common values are
-      #NOERROR, BADSIG, BADKEY, and BADTIME.  See RFC 2845 for details.
-      #
-      #    print "error = ", rr.error, "\n"
-      #
-      attr_accessor :error
-      
-      #Returns the length of the Other Data.  Should be zero unless the
-      #error is BADTIME.
-      #
-      #    print "other len = ", rr.other_size, "\n"
-      #
-      attr_accessor :other_size
-      
-      #Returns the Other Data.  This field should be empty unless the
-      #error is BADTIME, in which case it will contain the server's
-      #time as the number of seconds since 1 Jan 1970 00:00:00 UTC.
-      #
-      #    print "other data = ", rr.other_data, "\n"
-      #
-      attr_accessor :other_data
-      
-      #Stores the secret key used for signing/verifying messages.
-      attr_accessor :key
-      
-      def init_defaults
-        # @TODO@ Have new() method which takes key_name and key?
-        @algorithm   = DEFAULT_ALGORITHM
-        @fudge       = DEFAULT_FUDGE
-        @mac_size    = 0
-        @mac         = ""
-        @original_id = rand(65536)
-        @error       = 0
-        @other_size   = 0
-        @other_data  = ""
-        @time_signed = nil
-        @buf = nil
-        
-        # RFC 2845 Section 2.3
-        @klass = Classes.ANY
-        
-        @ttl = 0 # RFC 2845 Section 2.3
-      end
-      
-      def from_data(data) #:nodoc: all
-        @algorithm, @time_signed, @fudge, @mac_size, @mac, @original_id, @error, @other_size, @other_data = data
-      end
-      
-      def name=(n)
-        if (n.instance_of?String)
-          n = Name.create(n)
-        end
-        if (!n.absolute?)
-          @name = Name.create(n.to_s + ".")
-        else 
-          @name = n
-        end
-      end
-      
-      # Create the RR from a standard string
-      def from_string(str) #:nodoc: all
-        parts = str.split("[:/]")
-        if (parts.length < 2 || parts.length > 3)
-          raise ArgumentException.new("Invalid TSIG key specification")
-        end
-        if (parts.length == 3)
-          return TSIG.new(parts[0], parts[1], parts[2]);
-        else
-          return TSIG.new(HMAC_MD5, parts[0], parts[1]);
-        end
-      end
-      
-      #Set the algorithm to use to generate the HMAC
-      #Supported values are :
-      #* hmac-md5
-      #* hmac-sha1
-      #* hmac-sha256
-      def algorithm=(alg)
-        if (alg.class == String)
-          if (alg.downcase=="hmac-md5")
-            @algorithm = HMAC_MD5;
-          elsif (alg.downcase=="hmac-sha1")
-            @algorithm = HMAC_SHA1;
-          elsif (alg.downcase=="hmac-sha256")
-            @algorithm = HMAC_SHA256;
-          else
-            raise ArgumentError.new("Invalid TSIG algorithm")
-          end
-        elsif (alg.class == Name)
-          if (alg!=HMAC_MD5 && alg!=HMAC_SHA1 && alg!=HMAC_SHA256)
-            raise ArgumentException.new("Invalid TSIG algorithm")
-          end
-          @algorithm=alg
-        else
-          raise ArgumentError.new("#{alg.class} not valid type for Dnsruby::RR::TSIG#algorithm=  - use String or Name")
-        end
-        Dnsruby.log.debug{"Using #{@algorithm.to_s} algorithm"}
-      end
-      
-      def fudge=(f)
-        if (f < 0 || f > 0x7FFF)
-          @fudge = DEFAULT_FUDGE
-        else
-          @fudge = f
-        end
-      end
-      
-      def rdata_to_string        
-        rdatastr=""
-        if (@algorithm!=nil)
-          error = @error
-          error = "UNDEFINED" unless error!=nil
-          rdatastr = "#{@original_id} #{@time_signed} #{@algorithm.to_s(true)} #{error}";
-          if (@other_size > 0 && @other_data!=nil)
-            rdatastr += " #{@other_data}"
-          end
-          rdatastr += " " + mac.unpack("H*").to_s
-        end
-        
-        return rdatastr
-      end
-      
-      def encode_rdata(msg, canonical=false) #:nodoc: all
-        # Name needs to be added with no compression - done in Dnsruby::Message#encode
-        msg.put_name(@algorithm.downcase, true)
-        time_high = (@time_signed >> 32)
-        time_low = (@time_signed & 0xFFFFFFFF)
-        msg.put_pack('nN', time_high, time_low)
-        msg.put_pack('n', @fudge)
-        msg.put_pack('n', @mac_size)
-        msg.put_bytes(@mac)
-        msg.put_pack('n', @original_id)
-        msg.put_pack('n', @error)
-        msg.put_pack('n', @other_size)
-        msg.put_bytes(@other_data)
-      end
-      
-      def self.decode_rdata(msg) #:nodoc: all
-        alg=msg.get_name
-        time_high, time_low = msg.get_unpack("nN")
-        time_signed = (time_high << 32) + time_low
-        fudge, = msg.get_unpack("n")
-        mac_size, = msg.get_unpack("n")
-        mac = msg.get_bytes(mac_size)
-        original_id, = msg.get_unpack("n")
-        error, = msg.get_unpack("n")
-        other_size, = msg.get_unpack("n")
-        other_data = msg.get_bytes(other_size)
-        return self.new([alg, time_signed, fudge, mac_size, mac, original_id, error, other_size, other_data])
-      end
-    end
-  end   
-end