-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
The new IANA ITAR provides trust anchors for TLDs (se, br, cz and more), and with the IANA providing strong verification - using their existing contacts with the operators of those zones - I was thinking it would be nice to use it with the unbound validator. When the list of anchors grows, you need an automated way to pick up changes. I've made such a script, and set it up for us locally. I hope it can be useful for you too. The script: http://unbound.nlnetlabs.nl/svn/trunk/contrib/update-itar.sh sha1 15da042c55b4cda77257126f5935426aa03e1d12 md5 95541bb6660364a425596b75d163feaa sha256 25e90817c814f7cd61435e7d8d36d90feb41077d08a4a9be39ed8fc69bead138 (these hashes are so that my pgp key signs the hashes, so you can trust the pgp public key for the ITAR inside the script) How does it work: Fetches the key file and verifies the contents with the IANA ITAR public PGP key. Prints differences (so changes are visible in cron mail). You can configure it to use other PGP keys or trust anchor repositories, simply edit the shell file variables at the top. The PGP key for IANA ITAR comes distributed and is used by default. It picks up new keys, removed keys, or even if all keys are removed a zone goes back to unsigned (if the zone decides to go back to unsigned). How to install it: Assuming your unbound works in /usr/local/etc/unbound Install the script, copy it to /usr/local/etc/unbound/update-itar.sh. In your unbound.conf edit the following line trust-anchor-file: "/usr/local/etc/unbound/anchors.mf" You can keep your existing trust anchor definitions if you want, they only add new trust, and do not remove it. Try the script manually, as root do: $ cd /usr/local/etc/unbound $ ./update-itar.sh This should work and unbound-checkconf should have no errors. Then you can do unbound-control reload. Now make a cron job that does: cd /usr/local/etc/unbound; ./update-itar.sh && unbound-control reload Then you can dig cz SOA +dnssec, and see if the ad flag is there. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmda6QACgkQkDLqNwOhpPgRmgCZAXxElTCI1SKESodtSWHJxwpz uLUAn0mcg1JxIWCq2KSsYXUM2ak6MUfc =7xAp -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
