[Unbound-users] Validating the root: translation of ICANN XML file

=JeffH Jeff.Hodges at KingsMountain.com
Wed Aug 25 19:43:22 UTC 2010

 > As the root is signed with RSA/SHA-256, you need BIND 9.6.2 or later to
 > validate signatures.

thanks for the hint. rather than muck with my (stock) ubuntu system's DNS 
underpinnings/tools, I noticed that the ldns tools I have also address this and 
tried this in the Makefile rather than dnssec-dsfromkey..

   ldns-key2ds -${HASHALG} -n untrusted.key > untrusted.ds

..which worked.

However, my awk and cut (or something) must be different than Stephane's 
because I couldn't get the stuff after the dnssec-dsfromkey/ldns-key2ds parts 
in the Makefile to work, even hacking around by hand.

However, Leen's "rootanchor2keys.pl" 
apparently did the trick..

 > wget -q -O- https://data.iana.org/root-anchors/root-anchors.xml | 
./rootanchor2keys.pl -
/* created by ./rootanchor2keys.pl at 2010-08-25T19:21:51 */
trusted-keys {
/* id="Kjqmt7v", keytag=19036 */
"." 257 3 8

Now, it apparently is printing to stdout what the Makefile would have output as 
root-anchors.dnskey, yes?

My interest in getting the root-anchor set up on my system at this time is to 
be able to use ldns tools such as drill et al -- so do i need to produce a 
root-anchors.mkey ("managed keys"?) file also? and how does it differ 
syntactically from the above ?

and also, where do I need to place these files such that the ldns tools such as 
drill et al will find them ?

thanks for the help,


More information about the Unbound-users mailing list