Thanks Hauke, I'm past that particular issue now. but anther reared its head (down at end). > On 24.08.2010 19:03, =JeffH wrote: > > > ..where's the pubkey supposed to come from to validate it? If GPG is > > supposed to suck it over the net, maybe that's the problem? > > gpg needs to have IANA's DNSSEC public key in its keyring. > > You can retrieve the key from public keyservers: > gpg --search-key dnssec at iana.org Ok, that worked for me on one of my systems.. > gpg --search-key dnssec at iana.org gpg: searching for "dnssec at iana.org" from hkp server subkeys.pgp.net (1) DNSSEC Manager <dnssec at iana.org> 1024 bit DSA key 0F6C91D2, created: 2007-12-01 Keys 1-1 of 1 for "dnssec at iana.org". Enter number(s), N)ext, or Q)uit > 1 gpg: requesting key 0F6C91D2 from hkp server subkeys.pgp.net gpg: key 0F6C91D2: public key "DNSSEC Manager <dnssec at iana.org>" imported gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: Total number processed: 1 gpg: imported: 1 > Now that you have the key, you can either trust that its the right one. > That's what I did. > > Or you would have to verify the key's fingerprint with IANA staff, > although I don't know if that's even an option[*]. the latter sounds like a question for dnssec-deployment@ :) > JFTR, the key in my keyring has these IDs and fingerprint: > > pub 1024D/0F6C91D2 2007-12-01 [expires: 2011-11-25] > Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80 31C7 D1AF BCE0 0F6C 91D2 > uid DNSSEC Manager <dnssec at iana.org> > sub 2048g/1975679E 2007-12-01 ok, so does the one in my keyring.. > gpg --fingerprint dnssec at iana.org pub 1024D/0F6C91D2 2007-12-01 [expires: 2011-03-04] Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80 31C7 D1AF BCE0 0F6C 91D2 uid DNSSEC Manager <dnssec at iana.org> sub 2048g/1975679E 2007-12-01 Now however, there's another problem with the Makefile <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100720/0fa5e52f/attachment-0005.txt>, at least for me: (listing starts after root-anchors.* files are sucked over).. gpg --verify root-anchors.asc root-anchors.xml || \ sh -c 'echo "Invalid root-anchors.xml"; rm -f root-anchors.xml root-anchors.asc; exit 1;' gpg: Signature made Tue 06 Jul 2010 03:49:10 PM PDT using DSA key ID 0F6C91D2 gpg: Good signature from "DNSSEC Manager <dnssec at iana.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2FBB 91BC AAEE 0ABE 1F80 31C7 D1AF BCE0 0F6C 91D2 OK, root-anchors.xml is correct xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml dig DNSKEY . | grep -w 257 > untrusted.key # Verify the key # Thanks to Kazunori Fujiwara for the idea dnssec-dsfromkey -2 untrusted.key > untrusted.ds <<<====!!! dnssec-dsfromkey: invalid keyfile name untrusted.key: algorithm is unsupported make: *** [root-anchors.txt] Error 1 note the "algorithm is unsupported" error msg from dnssec-dsfromkey. the dnssec-dsfromkey version I'm using is 9.6.1-P2. thoughts? thanks, =JeffH