Maintained by: NLnet Labs

[Unbound-users] Validating the root: translation of ICANN XML file

=JeffH
Tue Aug 24 19:03:37 CEST 2010


Hi,

Hauke's version of the Makefile doesn't work for me unfortunately.

Here's what I get (on ubuntu 9.10 karmic)...

--
 > make
wget -nc -O root-anchors.xml 
https://data.iana.org/root-anchors/root-anchors.xml && touch root-anchors.xml 

--2010-08-23 16:42:30--  https://data.iana.org/root-anchors/root-anchors.xml
Resolving data.iana.org... 192.0.32.25
Connecting to data.iana.org|192.0.32.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 418 [text/xml]
Saving to: `root-anchors.xml'

100%[======================================>] 418         --.-K/s   in 0s

2010-08-23 16:42:30 (25.8 MB/s) - `root-anchors.xml' saved [418/418]

wget -nc -O root-anchors.asc 
https://data.iana.org/root-anchors/root-anchors.asc && touch root-anchors.asc 

--2010-08-23 16:42:30--  https://data.iana.org/root-anchors/root-anchors.asc
Resolving data.iana.org... 192.0.32.25
Connecting to data.iana.org|192.0.32.25|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189 [text/plain]
Saving to: `root-anchors.asc'

100%[======================================>] 189         --.-K/s   in 0s

2010-08-23 16:42:30 (27.5 MB/s) - `root-anchors.asc' saved [189/189]

gpg --verify root-anchors.asc root-anchors.xml || \
                 sh -c 'echo "Invalid root-anchors.xml"; rm -f root-anchors.xml 
root-anchors.asc; exit 1;'
gpg: Signature made Tue 06 Jul 2010 03:49:10 PM PDT using DSA key ID 0F6C91D2
gpg: Can't check signature: public key not found      <====!!! ***
Invalid root-anchors.xml
make: *** [root-anchors.xml] Error 1
--

Note the "gpg: Can't check signature: public key not found" message.

the root-anchors.asc file contains only a signature..

--
 > cat root-anchors.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBMM7Lm0a+84A9skdIRAmaXAKCCNJxxGCECU8JWkY9ofYbUbWhRswCfT16u
mJCNEcrHjgJdz5u01l2VZlU=
=umAT
-----END PGP SIGNATURE-----
--

..where's the pubkey supposed to come from to validate it?  If GPG is supposed 
to suck it over the net, maybe that's the problem?

(i've tried it from two different machines that are behind two different ISPs 
and middleboxes, failed both times)

thanks,

=JeffH