[Unbound-users] Validating the root: translation of ICANN XML file

Hauke Lampe lampe at hauke-lampe.de
Tue Jul 20 11:27:34 UTC 2010

On 07/18/2010 12:01 AM, Stephane Bortzmeyer wrote:

>> you should add the -o option to wget, otherwise you may have  asecurity risk 

That should be "-O". In older versions of wget (1.10.2/Debian Etch),
this option does not works together with "-nc". The empty output file is
created first, therefore "-nc" never downloads anything.

Another thing I noticed is that newer wget always sets a downloaded
file's mtime to the timestamp received in the headers, with no apparent
way to disable it.

> Fixed on my local copy as well. Apart from that, does it work for you?

It does work for me. I attached a modified version that also outputs
"root-anchors.mkey" with the key wrapped in BIND's "managed-keys" clause.

Thanks Stéphane. With your Makefile and XSLT, it's very easy to verify
and convert the root anchors from IANA for use with Unbound an BIND.

root-anchors.txt for unbound and "(auto-)trust-anchor-file".
root-anchors.mkey for RFC5011 mangement with BIND.
root-anchors.dnskey for static "trusted-keys" configuration.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Makefile
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20100720/0fa5e52f/attachment-0003.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20100720/0fa5e52f/attachment-0003.bin>
-------------- next part --------------
bind-users mailing list
bind-users at lists.isc.org

More information about the Unbound-users mailing list