Re: Validating the root: translation of ICANN XML file

[Hauke Lampe]

On 07/18/2010 12:01 AM, Stephane Bortzmeyer wrote:

>> you should add the -o option to wget, otherwise you may have  asecurity risk 

That should be "-O". In older versions of wget (1.10.2/Debian Etch),
this option does not works together with "-nc". The empty output file is
created first, therefore "-nc" never downloads anything.

Another thing I noticed is that newer wget always sets a downloaded
file's mtime to the timestamp received in the headers, with no apparent
way to disable it.

> Fixed on my local copy as well. Apart from that, does it work for you?

It does work for me. I attached a modified version that also outputs
"root-anchors.mkey" with the key wrapped in BIND's "managed-keys" clause.

Thanks Stéphane. With your Makefile and XSLT, it's very easy to verify
and convert the root anchors from IANA for use with Unbound an BIND.

root-anchors.txt for unbound and "(auto-)trust-anchor-file".
root-anchors.mkey for RFC5011 mangement with BIND.
root-anchors.dnskey for static "trusted-keys" configuration.


Hauke

KEYFLAGS=257
HASHALG=2 # For dnssec-dsfromkey

all: root-anchors.txt root-anchors.dnskey root-anchors.mkey

root-anchors.xml:
        -wget -nc -O root-anchors.xml 
https://data.iana.org/root-anchors/root-anchors.xml && touch root-anchors.xml
        -wget -nc -O root-anchors.asc 
https://data.iana.org/root-anchors/root-anchors.asc && touch root-anchors.asc
        gpg --verify root-anchors.asc root-anchors.xml || \
                sh -c 'echo "Invalid root-anchors.xml"; rm -f root-anchors.xml 
root-anchors.asc; exit 1;'
        @echo "OK, root-anchors.xml is correct"

root-anchors.txt: root-anchors.xml
        xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
        dig DNSKEY . | grep -w ${KEYFLAGS} > untrusted.key
        # Verify the key
        # Thanks to Kazunori Fujiwara for the idea
        dnssec-dsfromkey -${HASHALG} untrusted.key > untrusted.ds
        cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp
        cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> 
root-anchors.tmp
        echo >> root-anchors.tmp
        @diff root-anchors.txt root-anchors.tmp || \
                sh -c 'echo "Invalid DNSKEY, deleting temporary files"; rm -f 
root-anchors.txt root-anchors.tmp untrusted.key untrusted.ds; exit 1;'
        @echo "OK, root-anchors.txt is correct"

root-anchors.dnskey: root-anchors.txt
        awk  '{ORS=""; print  $$1 " " $$5 " " $$6 " " $$7 " " "\""; for (i = 8; 
i <= NF-1; i++) printf $$i " \n\t\t"; print $$NF "\";\n"  }' untrusted.key 
>root-anchors.dnskey;

root-anchors.mkey: root-anchors.txt
        awk  '{ORS=""; print "managed-keys {\n\t" $$1 " initial-key " $$5 " " 
$$6 " " $$7 " " "\""; for (i = 8; i <= NF-1; i++) printf $$i " \n\t\t"; print 
$$NF "\";\n};\n"  }' untrusted.key >root-anchors.mkey

clean:
        rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp

realclean: clean
        rm -f root-anchors.xml root-anchors.asc root-anchors.dnskey 
root-anchors.mkey

signature.asc
Description: OpenPGP digital signature

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users