Maintained by: NLnet Labs

[Unbound-users] Validating the root: translation of ICANN XML file

Leen Besselink
Wed Aug 25 10:20:16 CEST 2010


On 08/25/2010 08:32 AM, Carsten Strotmann wrote:
>  On 8/24/10 11:41 PM, =JeffH wrote:
>   
>>  
>>
>> note the "algorithm is unsupported" error msg from dnssec-dsfromkey.
>>
>> the dnssec-dsfromkey version I'm using is 9.6.1-P2.
>>
>> thoughts?
>>
>>     
> That version of dnssec-dsfromkey is too old, it does not support SHA256.
> You need to upgrade your BIND tools package to a version that does
> SHA256, like BIND 9.7.1-P2 or BIND 9.6.2 (and up).
>
>   

When it turned out I didn't have this installed.

I just did part of it by hand ones with unbound-host and setup the
auto-trust-anchor:

- downloaded the files using https and verified the CA-cert(s).
- imported the PGP key in a temporary account.
- checked the files with the PGP-key
- grabbed the DS-record from the file(s) which were just checked before that
- munched the DS-record a bit (I think replace the IN with a .)
- and verified the root with unbound-host -vj "..."
after that I setup unbound to use auto-trust-anchor-file

I think this should be ok and shouldn't need to look at it ever again.

> -- Carsten
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>