Maintained by: NLnet Labs

[Unbound-users] Validating the root: translation of ICANN XML file

7v5w7go9ub0o
Wed Jul 21 02:24:42 CEST 2010 

On 07/20/10 13:11, 7v5w7go9ub0o wrote:
> Thank you Stephane and Hauke; this latest iteration appears to work fine.
>
> I now have  root-anchors.mkey and root-anchors.dnskey; where do I put
> them, and how do I incorporate them into unbound.conf?

Oops....... not so fine. :-(

I deleted all of the root-anchors files, re-ran, and got this:

  make
wget -nc -O root-anchors.xml 
https://data.iana.org/root-anchors/root-anchors.xml && touch 
root-anchors.xml
--2010-07-20 20:17:50--  https://data.iana.org/root-anchors/root-anchors.xml
Resolving data.iana.org (data.iana.org)... 192.0.32.25
Connecting to data.iana.org (data.iana.org)|192.0.32.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 418 [text/xml]
Saving to: `root-anchors.xml'

100%[=======================================================================>] 
418         --.-K/s   in 0s

2010-07-20 20:17:51 (403 MB/s) - `root-anchors.xml' saved [418/418]

wget -nc -O root-anchors.asc 
https://data.iana.org/root-anchors/root-anchors.asc && touch 
root-anchors.asc
--2010-07-20 20:17:51--  https://data.iana.org/root-anchors/root-anchors.asc
Resolving data.iana.org (data.iana.org)... 192.0.32.25
Connecting to data.iana.org (data.iana.org)|192.0.32.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189 [text/plain]
Saving to: `root-anchors.asc'

100%[=======================================================================>] 
189         --.-K/s   in 0s

2010-07-20 20:17:51 (112 MB/s) - `root-anchors.asc' saved [189/189]

gpg --verify root-anchors.asc root-anchors.xml || \
                 sh -c 'echo "Invalid root-anchors.xml"; rm -f 
root-anchors.xml root-anchors.asc; exit 1;'
gpg: Signature made Tue Jul  6 18:49:10 2010 EDT using DSA key ID 0F6C91D2
gpg: Good signature from "DNSSEC Manager <dnssec at iana.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the 
owner.
Primary key fingerprint: 2FBB 91BC AAEE 0ABE 1F80  31C7 D1AF BCE0 0F6C 91D2
OK, root-anchors.xml is correct
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
dig DNSKEY . | grep -w 257 > untrusted.key
# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -2  untrusted.key > untrusted.ds
/bin/sh: dnssec-dsfromkey: command not found
make: *** [root-anchors.txt] Error 127