Thanks Hauke, I'm past that particular issue now. but anther reared its head
(down at end).
> On 24.08.2010 19:03, =JeffH wrote:
>
> > ..where's the pubkey supposed to come from to validate it? If GPG is
> > supposed to suck it over the net, maybe that's the problem?
>
> gpg needs to have IANA's DNSSEC public key in its keyring.
>
> You can retrieve the key from public keyservers:
> gpg --search-key [email protected]
Ok, that worked for me on one of my systems..
> gpg --search-key [email protected]
gpg: searching for "[email protected]" from hkp server subkeys.pgp.net
(1) DNSSEC Manager <[email protected]>
1024 bit DSA key 0F6C91D2, created: 2007-12-01
Keys 1-1 of 1 for "[email protected]". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 0F6C91D2 from hkp server subkeys.pgp.net
gpg: key 0F6C91D2: public key "DNSSEC Manager <[email protected]>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg: imported: 1
> Now that you have the key, you can either trust that its the right one.
> That's what I did.
>
> Or you would have to verify the key's fingerprint with IANA staff,
> although I don't know if that's even an option[*].
the latter sounds like a question for dnssec-deployment@ :)
> JFTR, the key in my keyring has these IDs and fingerprint:
>
> pub 1024D/0F6C91D2 2007-12-01 [expires: 2011-11-25]
> Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80 31C7 D1AF BCE0 0F6C 91D2
> uid DNSSEC Manager <[email protected]>
> sub 2048g/1975679E 2007-12-01
ok, so does the one in my keyring..
> gpg --fingerprint [email protected]
pub 1024D/0F6C91D2 2007-12-01 [expires: 2011-03-04]
Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80 31C7 D1AF BCE0 0F6C 91D2
uid DNSSEC Manager <[email protected]>
sub 2048g/1975679E 2007-12-01
Now however, there's another problem with the Makefile
<http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100720/0fa5e52f/attachment-0005.txt>,
at least for me: (listing starts after root-anchors.* files are sucked over)..
gpg --verify root-anchors.asc root-anchors.xml || \
sh -c 'echo "Invalid root-anchors.xml"; rm -f root-anchors.xml
root-anchors.asc; exit 1;'
gpg: Signature made Tue 06 Jul 2010 03:49:10 PM PDT using DSA key ID 0F6C91D2
gpg: Good signature from "DNSSEC Manager <[email protected]>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2FBB 91BC AAEE 0ABE 1F80 31C7 D1AF BCE0 0F6C 91D2
OK, root-anchors.xml is correct
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
dig DNSKEY . | grep -w 257 > untrusted.key
# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -2 untrusted.key > untrusted.ds <<<====!!!
dnssec-dsfromkey: invalid keyfile name untrusted.key: algorithm is unsupported
make: *** [root-anchors.txt] Error 1
note the "algorithm is unsupported" error msg from dnssec-dsfromkey.
the dnssec-dsfromkey version I'm using is 9.6.1-P2.
thoughts?
thanks,
=JeffH
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
