subject:"How do I get from IANA's root\-anchors.xml to managed\-keys\{\}\?"

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-17 Thread Kalman Feher

My earlier post described altering the format and included the file  
that anchors2keys would work with.




Kal Feher

On 17/07/2010, at 23:46, "Stephane Bortzmeyer"   
wrote:



On Fri, Jul 16, 2010 at 01:57:05PM +,
ALAIN AINA  wrote
a message of 20 lines which said:


https://itar.iana.org/instructions/


It does not work, it was only for ITAR and the published Trust Anchor
uses a different format:

% ./anchors2keys -v root-anchors.xml
No DNSKEYs found, quitting

That's because the XML elements in the file have different names.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-17 Thread Stephane Bortzmeyer

On Fri, Jul 16, 2010 at 01:57:05PM +,
 ALAIN AINA  wrote 
 a message of 20 lines which said:

> https://itar.iana.org/instructions/

It does not work, it was only for ITAR and the published Trust Anchor
uses a different format:

% ./anchors2keys -v root-anchors.xml
No DNSKEYs found, quitting

That's because the XML elements in the file have different names.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread ALAIN AINA


On Jul 16, 2010, at 1:43 PM, Stephane Bortzmeyer wrote:

> On Fri, Jul 16, 2010 at 03:00:11PM +0200,
> Kalman Feher  wrote 
> a message of 85 lines which said:
> 
>> anchors2keys worked fine so long as the format was correct so...
> 
> I didn't know this tool. Where can we find it? Google does not know.


https://itar.iana.org/instructions/

--alain
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread Stephane Bortzmeyer

On Fri, Jul 16, 2010 at 03:00:11PM +0200,
 Kalman Feher  wrote 
 a message of 85 lines which said:

> anchors2keys worked fine so long as the format was correct so...

I didn't know this tool. Where can we find it? Google does not know.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread Kalman Feher

As a once off I did the following last night. (yes I know the DNSKEY would
have been fine too). anchors2keys worked fine so long as the format was
correct so...
I just cut and pasted the content of :
https://data.iana.org/root-anchors/root-anchors.xml

Zone to delegation, algorithm, digest type and keytag to their corresponding
fields. And digest between the  tags. The serial
was last night's root serial, but it has no effect on the conversion

Here was my file contents:
 cat root-anchor.xml
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8
FB5

anchors2keys < root-anchor.xml > root-anchor
 
Which became:
cat root-anchor 

trusted-keys {
".." 257 3 8 
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI
0
EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/Q
Zxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hO
A2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8
ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};

Yes the script appends the  to the . I was too lazy to fix
it in the script. I just changed the resulting trust anchor entry to this:

managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI
0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/
QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5h
OA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub
8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
}; 
include it in named.conf.
Done. 

I'll now check Stephane's tool. Which might be more sensible.

On 16/07/10 10:56 AM, "Hauke Lampe"  wrote:

> 
> Greetings, everyone.
> 
> Now that the signed root is finally in production, how do I initialize BIND's
> RFC5011 key management from the XML file published by IANA?
> 
> I downloaded the files and checked the PGP signature:
> 
> http://data.iana.org/root-anchors/root-anchors.xml
> http://data.iana.org/root-anchors/root-anchors.asc
> 
> The XML file contains a DS hash of the root KSK, but BIND needs a public key
> in the managed-keys clause.
> 
> Are there any tools to retrieve the DNSKEY and validate it with the hash? Or
> even process the XML directly?
> 
> So far I used unbound to bootstrap the key but I am looking for a simpler way.
> 
> 
> 
> Hauke.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Kal Feher 

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread Stephane Bortzmeyer

On Fri, Jul 16, 2010 at 06:16:13PM +0900,
 Kazunori Fujiwara  wrote 
 a message of 25 lines which said:

> You can check root DNSKEY RR and root-anchors.xml
> using dig and dnssec-dsfromkey.

Good idea and here is a Makefile and a XSLT script which automates the
whole thing. Bug reports welcome.

KEYFLAGS=257
HASHALG=2 # For dnssec-dsfromkey

all: root-anchors.txt root-anchors.dnskey

root-anchors.txt: root-anchors.xml
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml

root-anchors.xml:
wget -nc https://data.iana.org/root-anchors/root-anchors.xml
wget -nc https://data.iana.org/root-anchors/root-anchors.asc
gpg --verify root-anchors.asc root-anchors.xml || \
rm -f root-anchors.asc root-anchors.xml

root-anchors.dnskey: root-anchors.txt
dig DNSKEY . | grep -w ${KEYFLAGS} > untrusted.key
# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -${HASHALG} untrusted.key > untrusted.ds
cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp
cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> 
root-anchors.tmp
echo >> root-anchors.tmp
@diff root-anchors.txt root-anchors.tmp || \
sh -c 'echo "Invalid DNSKEY, deleting temporary files"; rm -f 
root-anchors.tmp untrusted.key untrusted.ds'
awk  '{print  $$1 " " $$5 " " $$6 " " $$7 " " "\""; for (i = 8; i <= 
NF; i++) printf $$i " "; print  "\";"  }' untrusted.key > root-anchors.dnskey
@echo "OK, root-anchors.dnskey is correct"

clean:
rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp

realclean: clean
rm -f root-anchors.xml root-anchors.asc


anchors2ds.xsl
Description: XML document
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread Kazunori Fujiwara

> From: Hauke Lampe 
> http://data.iana.org/root-anchors/root-anchors.xml
> http://data.iana.org/root-anchors/root-anchors.asc
> 
> The XML file contains a DS hash of the root KSK, but BIND needs a public key 
> in the managed-keys clause.
> 
> Are there any tools to retrieve the DNSKEY and validate it with the hash? Or 
> even process the XML directly?

You can check root DNSKEY RR and root-anchors.xml
using dig and dnssec-dsfromkey.

% dig . dnskey | grep -w 257 > root.key; dnssec-dsfromkey -2 root.key

If you checked that the DS data written in root-anchors.xml and
root.key are equivalent, you can generate trusted-keys entry from
root.key file.

But I want new BIND 9 function "DS style trust anchor configuration".

--
Kazunori Fujiwara, JPRS
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How do I get from IANA's root-anchors.xml to managed-keys{}?

2010-07-16 Thread Hauke Lampe


Greetings, everyone.

Now that the signed root is finally in production, how do I initialize BIND's 
RFC5011 key management from the XML file published by IANA?

I downloaded the files and checked the PGP signature:

http://data.iana.org/root-anchors/root-anchors.xml
http://data.iana.org/root-anchors/root-anchors.asc

The XML file contains a DS hash of the root KSK, but BIND needs a public key in 
the managed-keys clause.

Are there any tools to retrieve the DNSKEY and validate it with the hash? Or 
even process the XML directly?

So far I used unbound to bootstrap the key but I am looking for a simpler way.



Hauke.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

Re: How do I get from IANA's root-anchors.xml to managed-keys{}?

How do I get from IANA's root-anchors.xml to managed-keys{}?

8 matches

Site Navigation

Mail list logo

Footer information