Maintained by: NLnet Labs

[Unbound-users] Validating the root: translation of ICANN XML file

Hauke Lampe
Tue Aug 24 22:00:04 CEST 2010


Hi Jeff.

On 24.08.2010 19:03, =JeffH wrote:

> ..where's the pubkey supposed to come from to validate it?  If GPG is
> supposed to suck it over the net, maybe that's the problem?

gpg needs to have IANA's DNSSEC public key in its keyring.

You can retrieve the key from public keyservers:
gpg --search-key dnssec at iana.org

or download it from IANA here:
http://data.iana.org/root-anchors/icann.pgp

Now that you have the key, you can either trust that its the right one.
That's what I did.

Or you would have to verify the key's fingerprint with IANA staff,
although I don't know if that's even an option[*].

JFTR, the key in my keyring has these IDs and fingerprint:

pub   1024D/0F6C91D2 2007-12-01 [expires: 2011-11-25]
Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80  31C7 D1AF BCE0 0F6C 91D2
uid                  DNSSEC Manager <dnssec at iana.org>
sub   2048g/1975679E 2007-12-01


[*] How about a voice recording on a POTS extension? ;)



Hauke.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100824/3582c266/attachment.pgp>