Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA aal...@trstech.net wrote a message of 20 lines which said: https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting That's because the XML elements in the file have different names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
My earlier post described altering the format and included the file that anchors2keys would work with. Kal Feher On 17/07/2010, at 23:46, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA aal...@trstech.net wrote a message of 20 lines which said: https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting That's because the XML elements in the file have different names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
From: Hauke Lampe la...@hauke-lampe.de http://data.iana.org/root-anchors/root-anchors.xml http://data.iana.org/root-anchors/root-anchors.asc The XML file contains a DS hash of the root KSK, but BIND needs a public key in the managed-keys clause. Are there any tools to retrieve the DNSKEY and validate it with the hash? Or even process the XML directly? You can check root DNSKEY RR and root-anchors.xml using dig and dnssec-dsfromkey. % dig . dnskey | grep -w 257 root.key; dnssec-dsfromkey -2 root.key If you checked that the DS data written in root-anchors.xml and root.key are equivalent, you can generate trusted-keys entry from root.key file. But I want new BIND 9 function DS style trust anchor configuration. -- Kazunori Fujiwara, JPRS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 06:16:13PM +0900, Kazunori Fujiwara fujiw...@wide.ad.jp wrote a message of 25 lines which said: You can check root DNSKEY RR and root-anchors.xml using dig and dnssec-dsfromkey. Good idea and here is a Makefile and a XSLT script which automates the whole thing. Bug reports welcome. KEYFLAGS=257 HASHALG=2 # For dnssec-dsfromkey all: root-anchors.txt root-anchors.dnskey root-anchors.txt: root-anchors.xml xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml root-anchors.xml: wget -nc https://data.iana.org/root-anchors/root-anchors.xml wget -nc https://data.iana.org/root-anchors/root-anchors.asc gpg --verify root-anchors.asc root-anchors.xml || \ rm -f root-anchors.asc root-anchors.xml root-anchors.dnskey: root-anchors.txt dig DNSKEY . | grep -w ${KEYFLAGS} untrusted.key # Verify the key # Thanks to Kazunori Fujiwara for the idea dnssec-dsfromkey -${HASHALG} untrusted.key untrusted.ds cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' root-anchors.tmp cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' root-anchors.tmp echo root-anchors.tmp @diff root-anchors.txt root-anchors.tmp || \ sh -c 'echo Invalid DNSKEY, deleting temporary files; rm -f root-anchors.tmp untrusted.key untrusted.ds' awk '{print $$1 $$5 $$6 $$7 \; for (i = 8; i = NF; i++) printf $$i ; print \; }' untrusted.key root-anchors.dnskey @echo OK, root-anchors.dnskey is correct clean: rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp realclean: clean rm -f root-anchors.xml root-anchors.asc anchors2ds.xsl Description: XML document ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
As a once off I did the following last night. (yes I know the DNSKEY would have been fine too). anchors2keys worked fine so long as the format was correct so... I just cut and pasted the content of : https://data.iana.org/root-anchors/root-anchors.xml Zone to delegation, algorithm, digest type and keytag to their corresponding fields. And digest between the delegation/delegation tags. The serial was last night's root serial, but it has no effect on the conversion Here was my file contents: cat root-anchor.xml ?xml version=1.0?zone name=. serial=2010071500delegation name=.ds algorithm=8 digesttype=2 keytag=1903649AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8 FB5/ds/delegation/zone anchors2keys root-anchor.xml root-anchor Which became: cat root-anchor trusted-keys { .. 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI 0 EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/Q Zxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hO A2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8 ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=; }; Yes the script appends the zone to the delegation. I was too lazy to fix it in the script. I just changed the resulting trust anchor entry to this: managed-keys { . initial-key 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI 0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/ QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5h OA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub 8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=; }; include it in named.conf. Done. I'll now check Stephane's tool. Which might be more sensible. On 16/07/10 10:56 AM, Hauke Lampe la...@hauke-lampe.de wrote: Greetings, everyone. Now that the signed root is finally in production, how do I initialize BIND's RFC5011 key management from the XML file published by IANA? I downloaded the files and checked the PGP signature: http://data.iana.org/root-anchors/root-anchors.xml http://data.iana.org/root-anchors/root-anchors.asc The XML file contains a DS hash of the root KSK, but BIND needs a public key in the managed-keys clause. Are there any tools to retrieve the DNSKEY and validate it with the hash? Or even process the XML directly? So far I used unbound to bootstrap the key but I am looking for a simpler way. Hauke. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Jul 16, 2010, at 1:43 PM, Stephane Bortzmeyer wrote: On Fri, Jul 16, 2010 at 03:00:11PM +0200, Kalman Feher kalman.fe...@melbourneit.com.au wrote a message of 85 lines which said: anchors2keys worked fine so long as the format was correct so... I didn't know this tool. Where can we find it? Google does not know. https://itar.iana.org/instructions/ --alain ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users