Re: [Unbound-users] Validating the root: translation of ICANN XML file

Tue, 20 Jul 2010 17:26:24 -0700 

On 07/20/10 13:11, 7v5w7go9ub0o wrote:

Thank you Stephane and Hauke; this latest iteration appears to work fine.

I now have  root-anchors.mkey and root-anchors.dnskey; where do I put
them, and how do I incorporate them into unbound.conf?


Oops....... not so fine. :-(

I deleted all of the root-anchors files, re-ran, and got this:

 make
wget -nc -O root-anchors.xml https://data.iana.org/root-anchors/root-anchors.xml && touch root-anchors.xml 
--2010-07-20 20:17:50--  https://data.iana.org/root-anchors/root-anchors.xml
Resolving data.iana.org (data.iana.org)... 192.0.32.25
Connecting to data.iana.org (data.iana.org)|192.0.32.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 418 [text/xml]
Saving to: `root-anchors.xml'
100%[=======================================================================>] 418 --.-K/s in 0s 

2010-07-20 20:17:51 (403 MB/s) - `root-anchors.xml' saved [418/418]
wget -nc -O root-anchors.asc https://data.iana.org/root-anchors/root-anchors.asc && touch root-anchors.asc 
--2010-07-20 20:17:51--  https://data.iana.org/root-anchors/root-anchors.asc
Resolving data.iana.org (data.iana.org)... 192.0.32.25
Connecting to data.iana.org (data.iana.org)|192.0.32.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189 [text/plain]
Saving to: `root-anchors.asc'
100%[=======================================================================>] 189 --.-K/s in 0s 

2010-07-20 20:17:51 (112 MB/s) - `root-anchors.asc' saved [189/189]

gpg --verify root-anchors.asc root-anchors.xml || \
sh -c 'echo "Invalid root-anchors.xml"; rm -f root-anchors.xml root-anchors.asc; exit 1;' 
gpg: Signature made Tue Jul  6 18:49:10 2010 EDT using DSA key ID 0F6C91D2
gpg: Good signature from "DNSSEC Manager <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner. 
Primary key fingerprint: 2FBB 91BC AAEE 0ABE 1F80  31C7 D1AF BCE0 0F6C 91D2
OK, root-anchors.xml is correct
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
dig DNSKEY . | grep -w 257 > untrusted.key
# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -2  untrusted.key > untrusted.ds
/bin/sh: dnssec-dsfromkey: command not found
make: *** [root-anchors.txt] Error 127
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

Reply via email to