Maintained by: NLnet Labs

[Unbound-users] Validating the root: translation of ICANN XML file

=JeffH
Tue Aug 24 23:41:36 CEST 2010


Thanks Hauke, I'm past that particular issue now. but anther reared its head 
(down at end).

 > On 24.08.2010 19:03, =JeffH wrote:
 >
 > > ..where's the pubkey supposed to come from to validate it?  If GPG is
 > > supposed to suck it over the net, maybe that's the problem?
 >
 > gpg needs to have IANA's DNSSEC public key in its keyring.
 >
 > You can retrieve the key from public keyservers:
 > gpg --search-key dnssec at iana.org

Ok, that worked for me on one of my systems..

 > gpg --search-key dnssec at iana.org
gpg: searching for "dnssec at iana.org" from hkp server subkeys.pgp.net
(1)     DNSSEC Manager <dnssec at iana.org>
           1024 bit DSA key 0F6C91D2, created: 2007-12-01
Keys 1-1 of 1 for "dnssec at iana.org".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 0F6C91D2 from hkp server subkeys.pgp.net
gpg: key 0F6C91D2: public key "DNSSEC Manager <dnssec at iana.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: Total number processed: 1
gpg:               imported: 1



 > Now that you have the key, you can either trust that its the right one.
 > That's what I did.
 >
 > Or you would have to verify the key's fingerprint with IANA staff,
 > although I don't know if that's even an option[*].

the latter sounds like a question for dnssec-deployment@   :)


 > JFTR, the key in my keyring has these IDs and fingerprint:
 >
 > pub   1024D/0F6C91D2 2007-12-01 [expires: 2011-11-25]
 > Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80  31C7 D1AF BCE0 0F6C 91D2
 > uid                  DNSSEC Manager <dnssec at iana.org>
 > sub   2048g/1975679E 2007-12-01

ok, so does the one in my keyring..

 > gpg --fingerprint dnssec at iana.org
pub   1024D/0F6C91D2 2007-12-01 [expires: 2011-03-04]
       Key fingerprint = 2FBB 91BC AAEE 0ABE 1F80  31C7 D1AF BCE0 0F6C 91D2
uid                  DNSSEC Manager <dnssec at iana.org>
sub   2048g/1975679E 2007-12-01



Now however, there's another problem with the Makefile 
<http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20100720/0fa5e52f/attachment-0005.txt>, 
at least for me:  (listing starts after root-anchors.* files are sucked over)..



gpg --verify root-anchors.asc root-anchors.xml || \
                 sh -c 'echo "Invalid root-anchors.xml"; rm -f root-anchors.xml 
root-anchors.asc; exit 1;'
gpg: Signature made Tue 06 Jul 2010 03:49:10 PM PDT using DSA key ID 0F6C91D2
gpg: Good signature from "DNSSEC Manager <dnssec at iana.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2FBB 91BC AAEE 0ABE 1F80  31C7 D1AF BCE0 0F6C 91D2
OK, root-anchors.xml is correct
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
dig DNSKEY . | grep -w 257 > untrusted.key

# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -2  untrusted.key > untrusted.ds       <<<====!!! 

dnssec-dsfromkey: invalid keyfile name untrusted.key: algorithm is unsupported
make: *** [root-anchors.txt] Error 1 


note the "algorithm is unsupported" error msg from dnssec-dsfromkey.

the dnssec-dsfromkey version I'm using is 9.6.1-P2.

thoughts?

thanks,

=JeffH