Using unbound-anchor for non-default trust anchor
Robert Edmonds
edmonds at debian.org
Tue Jul 28 19:16:01 UTC 2015
Edward Lewis via Unbound-users wrote:
> unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org.
>
> I am trying to test RFC 5011 capabilities by following these websites:
>
> http://keyroll.systems
> and
> http://icksk.dnssek.info/fauxroot.html
>
> Goal is to run unbound-anchor as a first step before trying to tune
> unbound to either of those experiments.
Hi, Ed:
IIRC, the HTTPS fetch from data.iana.org in unbound-anchor is a
fallback, if the RFC 5011 stuff fails. You still ought to be able to
test the RFC 5011 stuff alone, if that's what you're trying to do.
I copied the root.db file at the bottom of
http://keyroll.systems/current into /tmp/root.db (would be nice if this
were downloadable as a separate file), and then tried unbound-anchor
with that root zone against the three most recent key files (at the
time) from the bottom of http://keyroll.systems/historic:
# Most recent key.
edmonds at chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+55039.key
edmonds at chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key
/tmp/root.key has content
[1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:16 skipping type SOA
[1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:26 skipping type TXT
success: the anchor is ok
# Second most recent key.
edmonds at chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+27079.key
edmonds at chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key
/tmp/root.key has content
[1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:16 skipping type SOA
[1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:26 skipping type TXT
success: the anchor is ok
# Third most recent key.
edmonds at chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+42496.key
edmonds at chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key
/tmp/root.key has content
[1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:16 skipping type SOA
[1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:26 skipping type TXT
last successful probe: Tue Jul 28 15:09:16 2015
the last successful probe is recent
fail: the anchor is NOT ok and could not be fixed
edmonds at chase{0}:~$ cat /tmp/root.key
; autotrust trust anchor file
;;REVOKED
; The zone has all keys revoked, and is
; considered as if it has no trust anchors.
; the remainder of the file is the last probe.
; to restart the trust anchor, overwrite this file.
; with one containing valid DNSKEYs or DSes.
;;id: . 1
;;last_queried: 1438110556 ;;Tue Jul 28 15:09:16 2015
;;last_success: 1438110556 ;;Tue Jul 28 15:09:16 2015
;;next_probe_time: 0 ;;Wed Dec 31 19:00:00 1969
;;query_failed: 0
;;query_interval: 0
;;retry_time: 0
. 3600 IN DNSKEY 385 3 8 AwEAAct/IgeZiHmphBTGCJUxJNd1hy9uuqUJFtIsdJgyMr+LLnTjbqXkAF47BskHvSIrlQlIc/SDTDLtUktpM/IVWAjolSsP1+oNYwTi56WwW9nyc+vuJkPG8sxza1p7c7PoTegb2JPPEsmkLGMEDz0kliWHSZkinr9yB1/LxI3SBAYq17Od3CuIAWyU0F0pVxqJwJn/jWI4z1FdSwU9cGhx+/g8FvrnrOkOMyj08g4LlYf5PBpopB+Cz2JNOFa6DRr2WyUuVvbTa9ZnBCOTHcUsaoqVdvs3fihvcdpfWonHm7aJvyUnB3CiUQz/iIzvYTtx3+OF8+mOjy0qFX+Zk4KUg6U= ;{id = 42624 (ksk), size = 2048b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=1438110556 ;;Tue Jul 28 15:09:16 2015
edmonds at chase{0}:~$
Hope this helps!
--
Robert Edmonds
edmonds at debian.org
More information about the Unbound-users
mailing list