Maintained by: NLnet Labs

[Unbound-users] Problem with SHA256 DS as trust anchors ?

W.C.A. Wijngaards
Wed Feb 18 14:10:15 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ralf,

Tried myself, and it works well for me.
Do you have openssl 0.9.8 (or newer) ?
0.9.7 does not do SHA256 I think; and that could cause the validation
failure - since none of the trust anchors work.

Best regards,
   Wouter

Ralf Weber wrote:
> Moin!
> 
> RIPE recently published all there trust anchors as zone file format as
> DS records with SHA256 as digest algorithm. Now I seem to have problems
> when I use this file with unbound 1.2.1 as trust-anchor-file. Some keys
> seem to work, some not. One that does not work is:
>     ripe.net. DS 7543 5 2
> A281F1D5BB5DE2FA435D77C0989321D757EA0FACED1CC7643D1ED6E64A4D3999
> now when I generate an SHA1 DS record out of the key it does work
> perfectly.
>     ripe.net. DS 7543 5 1 5f4134815032c5b39b02b9d248bbf49de44e1297
> Here's the verbosity 3 output of a failed lookup to www.ripe.net using
> the first DS as trust anchor:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmcCLcACgkQkDLqNwOhpPj6hgCgkLNqyNzcHO4No23NMGuAoN+5
P90AoIqaaAkXoNhwQlYYupgVfQZLsJ4R
=B9j5
-----END PGP SIGNATURE-----