Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
My earlier post described altering the format and included the file that anchors2keys would work with. Kal Feher On 17/07/2010, at 23:46, "Stephane Bortzmeyer" wrote: On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA wrote a message of 20 lines which said: https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting That's because the XML elements in the file have different names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 01:57:05PM +, ALAIN AINA wrote a message of 20 lines which said: > https://itar.iana.org/instructions/ It does not work, it was only for ITAR and the published Trust Anchor uses a different format: % ./anchors2keys -v root-anchors.xml No DNSKEYs found, quitting That's because the XML elements in the file have different names. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Jul 16, 2010, at 1:43 PM, Stephane Bortzmeyer wrote: > On Fri, Jul 16, 2010 at 03:00:11PM +0200, > Kalman Feher wrote > a message of 85 lines which said: > >> anchors2keys worked fine so long as the format was correct so... > > I didn't know this tool. Where can we find it? Google does not know. https://itar.iana.org/instructions/ --alain > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 03:00:11PM +0200, Kalman Feher wrote a message of 85 lines which said: > anchors2keys worked fine so long as the format was correct so... I didn't know this tool. Where can we find it? Google does not know. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
As a once off I did the following last night. (yes I know the DNSKEY would have been fine too). anchors2keys worked fine so long as the format was correct so... I just cut and pasted the content of : https://data.iana.org/root-anchors/root-anchors.xml Zone to delegation, algorithm, digest type and keytag to their corresponding fields. And digest between the tags. The serial was last night's root serial, but it has no effect on the conversion Here was my file contents: cat root-anchor.xml 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8 FB5 anchors2keys < root-anchor.xml > root-anchor Which became: cat root-anchor trusted-keys { ".." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI 0 EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/Q Zxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hO A2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8 ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; }; Yes the script appends the to the . I was too lazy to fix it in the script. I just changed the resulting trust anchor entry to this: managed-keys { . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI 0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/ QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5h OA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub 8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; }; include it in named.conf. Done. I'll now check Stephane's tool. Which might be more sensible. On 16/07/10 10:56 AM, "Hauke Lampe" wrote: > > Greetings, everyone. > > Now that the signed root is finally in production, how do I initialize BIND's > RFC5011 key management from the XML file published by IANA? > > I downloaded the files and checked the PGP signature: > > http://data.iana.org/root-anchors/root-anchors.xml > http://data.iana.org/root-anchors/root-anchors.asc > > The XML file contains a DS hash of the root KSK, but BIND needs a public key > in the managed-keys clause. > > Are there any tools to retrieve the DNSKEY and validate it with the hash? Or > even process the XML directly? > > So far I used unbound to bootstrap the key but I am looking for a simpler way. > > > > Hauke. > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
On Fri, Jul 16, 2010 at 06:16:13PM +0900, Kazunori Fujiwara wrote a message of 25 lines which said: > You can check root DNSKEY RR and root-anchors.xml > using dig and dnssec-dsfromkey. Good idea and here is a Makefile and a XSLT script which automates the whole thing. Bug reports welcome. KEYFLAGS=257 HASHALG=2 # For dnssec-dsfromkey all: root-anchors.txt root-anchors.dnskey root-anchors.txt: root-anchors.xml xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml root-anchors.xml: wget -nc https://data.iana.org/root-anchors/root-anchors.xml wget -nc https://data.iana.org/root-anchors/root-anchors.asc gpg --verify root-anchors.asc root-anchors.xml || \ rm -f root-anchors.asc root-anchors.xml root-anchors.dnskey: root-anchors.txt dig DNSKEY . | grep -w ${KEYFLAGS} > untrusted.key # Verify the key # Thanks to Kazunori Fujiwara for the idea dnssec-dsfromkey -${HASHALG} untrusted.key > untrusted.ds cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> root-anchors.tmp echo >> root-anchors.tmp @diff root-anchors.txt root-anchors.tmp || \ sh -c 'echo "Invalid DNSKEY, deleting temporary files"; rm -f root-anchors.tmp untrusted.key untrusted.ds' awk '{print $$1 " " $$5 " " $$6 " " $$7 " " "\""; for (i = 8; i <= NF; i++) printf $$i " "; print "\";" }' untrusted.key > root-anchors.dnskey @echo "OK, root-anchors.dnskey is correct" clean: rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp realclean: clean rm -f root-anchors.xml root-anchors.asc anchors2ds.xsl Description: XML document ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I get from IANA's root-anchors.xml to managed-keys{}?
> From: Hauke Lampe > http://data.iana.org/root-anchors/root-anchors.xml > http://data.iana.org/root-anchors/root-anchors.asc > > The XML file contains a DS hash of the root KSK, but BIND needs a public key > in the managed-keys clause. > > Are there any tools to retrieve the DNSKEY and validate it with the hash? Or > even process the XML directly? You can check root DNSKEY RR and root-anchors.xml using dig and dnssec-dsfromkey. % dig . dnskey | grep -w 257 > root.key; dnssec-dsfromkey -2 root.key If you checked that the DS data written in root-anchors.xml and root.key are equivalent, you can generate trusted-keys entry from root.key file. But I want new BIND 9 function "DS style trust anchor configuration". -- Kazunori Fujiwara, JPRS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How do I get from IANA's root-anchors.xml to managed-keys{}?
Greetings, everyone. Now that the signed root is finally in production, how do I initialize BIND's RFC5011 key management from the XML file published by IANA? I downloaded the files and checked the PGP signature: http://data.iana.org/root-anchors/root-anchors.xml http://data.iana.org/root-anchors/root-anchors.asc The XML file contains a DS hash of the root KSK, but BIND needs a public key in the managed-keys clause. Are there any tools to retrieve the DNSKEY and validate it with the hash? Or even process the XML directly? So far I used unbound to bootstrap the key but I am looking for a simpler way. Hauke. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users