On Friday 16 July 2010 15:50:19 Stephane Bortzmeyer wrote: > As far as I know, the only format of secure distribution for the root > trust anchor is an XML file. Here is a Makefile and a XSLT script to > translate this file to a trust anchor that Unbound will > recognize. Just type "make"
Hi Stephane, you should add the -o option to wget, otherwise you may have asecurity risk of unexpected download filenames. http://www.ocert.org/advisories/ocert-2010-001.html I've attached a corrected version of this Makefile. Regards Hauke
KEYFLAGS=257 HASHALG=2 # For dnssec-dsfromkey all: root-anchors.txt root-anchors.dnskey root-anchors.txt: root-anchors.xml xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml root-anchors.xml: wget -nc https://data.iana.org/root-anchors/root-anchors.xml -o root-anchors.xml wget -nc https://data.iana.org/root-anchors/root-anchors.asc -o root-anchors.asc gpg --verify root-anchors.asc root-anchors.xml || \ rm -f root-anchors.asc root-anchors.xml root-anchors.dnskey: root-anchors.txt dig DNSKEY . | grep -w ${KEYFLAGS} > untrusted.key # Verify the key # Thanks to Kazunori Fujiwara for the idea dnssec-dsfromkey -${HASHALG} untrusted.key > untrusted.ds cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> root-anchors.tmp echo >> root-anchors.tmp @diff root-anchors.txt root-anchors.tmp || \ sh -c 'echo "Invalid DNSKEY, deleting temporary files"; rm -f root-anchors.tmp untrusted.key untrusted.ds' awk '{print $$1 " " $$5 " " $$6 " " $$7 " " "\""; for (i = 8; i <= NF; i++) printf $$i " "; print "\";" }' untrusted.key > root-anchors.dnskey @echo "OK, root-anchors.dnskey is correct" clean: rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp realclean: clean rm -f root-anchors.xml root-anchors.asc root-anchors.dnskey
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
