Maintained by: NLnet Labs

[Unbound-users] Using the ITAR

W.C.A. Wijngaards
Thu Feb 19 15:24:36 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The new IANA ITAR provides trust anchors for TLDs (se, br, cz and more),
and with the IANA providing strong verification - using their existing
contacts with the operators of those zones - I was thinking it would be
nice to use it with the unbound validator.

When the list of anchors grows, you need an automated way to pick up
changes.  I've made such a script, and set it up for us locally.   I
hope it can be useful for you too.

The script:
http://unbound.nlnetlabs.nl/svn/trunk/contrib/update-itar.sh
sha1   15da042c55b4cda77257126f5935426aa03e1d12
md5    95541bb6660364a425596b75d163feaa
sha256 25e90817c814f7cd61435e7d8d36d90feb41077d08a4a9be39ed8fc69bead138

(these hashes are so that my pgp key signs the hashes, so you can trust
the pgp public key for the ITAR inside the script)

How does it work:
Fetches the key file and verifies the contents with the IANA ITAR public
PGP key.  Prints differences (so changes are visible in cron mail).
You can configure it to use other PGP keys or trust anchor repositories,
simply edit the shell file variables at the top.  The PGP key for IANA
ITAR comes distributed and is used by default.  It picks up new keys,
removed keys, or even if all keys are removed a zone goes back to
unsigned (if the zone decides to go back to unsigned).

How to install it:
Assuming your unbound works in /usr/local/etc/unbound
Install the script, copy it to /usr/local/etc/unbound/update-itar.sh.
In your unbound.conf edit the following line
	trust-anchor-file: "/usr/local/etc/unbound/anchors.mf"
You can keep your existing trust anchor definitions if you want, they
only add new trust, and do not remove it.

Try the script manually, as root do:
$ cd /usr/local/etc/unbound
$ ./update-itar.sh
This should work and unbound-checkconf should have no errors.
Then you can do unbound-control reload.

Now make a cron job that does:
	cd /usr/local/etc/unbound; ./update-itar.sh && unbound-control reload

Then you can  dig cz SOA +dnssec, and see if the ad flag is there.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmda6QACgkQkDLqNwOhpPgRmgCZAXxElTCI1SKESodtSWHJxwpz
uLUAn0mcg1JxIWCq2KSsYXUM2ak6MUfc
=7xAp
-----END PGP SIGNATURE-----