On 08/25/2010 08:32 AM, Carsten Strotmann wrote: > On 8/24/10 11:41 PM, =JeffH wrote: > >> >> >> note the "algorithm is unsupported" error msg from dnssec-dsfromkey. >> >> the dnssec-dsfromkey version I'm using is 9.6.1-P2. >> >> thoughts? >> >> > That version of dnssec-dsfromkey is too old, it does not support SHA256. > You need to upgrade your BIND tools package to a version that does > SHA256, like BIND 9.7.1-P2 or BIND 9.6.2 (and up). > >
When it turned out I didn't have this installed. I just did part of it by hand ones with unbound-host and setup the auto-trust-anchor: - downloaded the files using https and verified the CA-cert(s). - imported the PGP key in a temporary account. - checked the files with the PGP-key - grabbed the DS-record from the file(s) which were just checked before that - munched the DS-record a bit (I think replace the IN with a .) - and verified the root with unbound-host -vj "..." after that I setup unbound to use auto-trust-anchor-file I think this should be ok and shouldn't need to look at it ever again. > -- Carsten > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users > > _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
