Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA aal...@trstech.net wrote a message of 20 lines which said: https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting That's because the XML elements in the file have different names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
My earlier post described altering the format and included the file that anchors2keys would work with. Kal Feher On 17/07/2010, at 23:46, Stephane Bortzmeyer bortzme...@nic.fr wrote: On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA aal...@trstech.net wrote a message of 20 lines which said: https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting That's because the XML elements in the file have different names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
From: Hauke Lampe la...@hauke-lampe.de http://data.iana.org/root-anchors/root-anchors.xml http://data.iana.org/root-anchors/root-anchors.asc The XML file contains a DS hash of the root KSK, but BIND needs a public key in the managed-keys clause. Are there any tools to retrieve the DNSKEY and validate it with the hash? Or even process the XML directly? You can check root DNSKEY RR and root-anchors.xml using dig and dnssec-dsfromkey. % dig . dnskey | grep -w 257 root.key; dnssec-dsfromkey -2 root.key If you checked that the DS data written in root-anchors.xml and root.key are equivalent, you can generate trusted-keys entry from root.key file. But I want new BIND 9 function DS style trust anchor configuration. -- Kazunori Fujiwara, JPRS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 06:16:13PM +0900,
Kazunori Fujiwara fujiw...@wide.ad.jp wrote
a message of 25 lines which said:
You can check root DNSKEY RR and root-anchors.xml
using dig and dnssec-dsfromkey.
Good idea and here is a Makefile and a XSLT script which automates the
whole thing. Bug reports welcome.
KEYFLAGS=257
HASHALG=2 # For dnssec-dsfromkey
all: root-anchors.txt root-anchors.dnskey
root-anchors.txt: root-anchors.xml
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
root-anchors.xml:
wget -nc https://data.iana.org/root-anchors/root-anchors.xml
wget -nc https://data.iana.org/root-anchors/root-anchors.asc
gpg --verify root-anchors.asc root-anchors.xml || \
rm -f root-anchors.asc root-anchors.xml
root-anchors.dnskey: root-anchors.txt
dig DNSKEY . | grep -w ${KEYFLAGS} untrusted.key
# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -${HASHALG} untrusted.key untrusted.ds
cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' root-anchors.tmp
cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' '
root-anchors.tmp
echo root-anchors.tmp
@diff root-anchors.txt root-anchors.tmp || \
sh -c 'echo Invalid DNSKEY, deleting temporary files; rm -f
root-anchors.tmp untrusted.key untrusted.ds'
awk '{print $$1 $$5 $$6 $$7 \; for (i = 8; i =
NF; i++) printf $$i ; print \; }' untrusted.key root-anchors.dnskey
@echo OK, root-anchors.dnskey is correct
clean:
rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp
realclean: clean
rm -f root-anchors.xml root-anchors.asc
anchors2ds.xsl
Description: XML document
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
As a once off I did the following last night. (yes I know the DNSKEY would
have been fine too). anchors2keys worked fine so long as the format was
correct so...
I just cut and pasted the content of :
https://data.iana.org/root-anchors/root-anchors.xml
Zone to delegation, algorithm, digest type and keytag to their corresponding
fields. And digest between the delegation/delegation tags. The serial
was last night's root serial, but it has no effect on the conversion
Here was my file contents:
cat root-anchor.xml
?xml version=1.0?zone name=. serial=2010071500delegation
name=.ds algorithm=8 digesttype=2
keytag=1903649AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8
FB5/ds/delegation/zone
anchors2keys root-anchor.xml root-anchor
Which became:
cat root-anchor
trusted-keys {
.. 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI
0
EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/Q
Zxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hO
A2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8
ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=;
};
Yes the script appends the zone to the delegation. I was too lazy to fix
it in the script. I just changed the resulting trust anchor entry to this:
managed-keys {
. initial-key 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI
0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/
QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5h
OA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub
8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=;
};
include it in named.conf.
Done.
I'll now check Stephane's tool. Which might be more sensible.
On 16/07/10 10:56 AM, Hauke Lampe la...@hauke-lampe.de wrote:
Greetings, everyone.
Now that the signed root is finally in production, how do I initialize BIND's
RFC5011 key management from the XML file published by IANA?
I downloaded the files and checked the PGP signature:
http://data.iana.org/root-anchors/root-anchors.xml
http://data.iana.org/root-anchors/root-anchors.asc
The XML file contains a DS hash of the root KSK, but BIND needs a public key
in the managed-keys clause.
Are there any tools to retrieve the DNSKEY and validate it with the hash? Or
even process the XML directly?
So far I used unbound to bootstrap the key but I am looking for a simpler way.
Hauke.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Jul 16, 2010, at 1:43 PM, Stephane Bortzmeyer wrote: On Fri, Jul 16, 2010 at 03:00:11PM +0200, Kalman Feher kalman.fe...@melbourneit.com.au wrote a message of 85 lines which said: anchors2keys worked fine so long as the format was correct so... I didn't know this tool. Where can we find it? Google does not know. https://itar.iana.org/instructions/ --alain ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
