Maintained by: NLnet Labs

Using unbound-anchor for non-default trust anchor

Robert Edmonds
Tue Jul 28 21:16:01 CEST 2015


Edward Lewis via Unbound-users wrote:
> unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org.
> 
> I am trying to test RFC 5011 capabilities by following these websites:
> 
> http://keyroll.systems
> and
> http://icksk.dnssek.info/fauxroot.html
> 
> Goal is to run unbound-anchor as a first step before trying to tune
> unbound to either of those experiments.

Hi, Ed:

IIRC, the HTTPS fetch from data.iana.org in unbound-anchor is a
fallback, if the RFC 5011 stuff fails.  You still ought to be able to
test the RFC 5011 stuff alone, if that's what you're trying to do.

I copied the root.db file at the bottom of
http://keyroll.systems/current into /tmp/root.db (would be nice if this
were downloadable as a separate file), and then tried unbound-anchor
with that root zone against the three most recent key files (at the
time) from the bottom of http://keyroll.systems/historic:

# Most recent key.

    edmonds at chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+55039.key
    edmonds at chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key                   
    /tmp/root.key has content
    [1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:16 skipping type SOA
    [1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:26 skipping type TXT
    success: the anchor is ok

# Second most recent key.

    edmonds at chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+27079.key
    edmonds at chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key                   
    /tmp/root.key has content
    [1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:16 skipping type SOA
    [1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:26 skipping type TXT
    success: the anchor is ok

# Third most recent key.

    edmonds at chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+42496.key
    edmonds at chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key                   
    /tmp/root.key has content
    [1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:16 skipping type SOA
    [1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:26 skipping type TXT
    last successful probe: Tue Jul 28 15:09:16 2015
    the last successful probe is recent
    fail: the anchor is NOT ok and could not be fixed
    edmonds at chase{0}:~$ cat /tmp/root.key
    ; autotrust trust anchor file
    ;;REVOKED
    ; The zone has all keys revoked, and is
    ; considered as if it has no trust anchors.
    ; the remainder of the file is the last probe.
    ; to restart the trust anchor, overwrite this file.
    ; with one containing valid DNSKEYs or DSes.
    ;;id: . 1
    ;;last_queried: 1438110556 ;;Tue Jul 28 15:09:16 2015
    ;;last_success: 1438110556 ;;Tue Jul 28 15:09:16 2015
    ;;next_probe_time: 0 ;;Wed Dec 31 19:00:00 1969
    ;;query_failed: 0
    ;;query_interval: 0
    ;;retry_time: 0
    .   3600    IN  DNSKEY  385 3 8 AwEAAct/IgeZiHmphBTGCJUxJNd1hy9uuqUJFtIsdJgyMr+LLnTjbqXkAF47BskHvSIrlQlIc/SDTDLtUktpM/IVWAjolSsP1+oNYwTi56WwW9nyc+vuJkPG8sxza1p7c7PoTegb2JPPEsmkLGMEDz0kliWHSZkinr9yB1/LxI3SBAYq17Od3CuIAWyU0F0pVxqJwJn/jWI4z1FdSwU9cGhx+/g8FvrnrOkOMyj08g4LlYf5PBpopB+Cz2JNOFa6DRr2WyUuVvbTa9ZnBCOTHcUsaoqVdvs3fihvcdpfWonHm7aJvyUnB3CiUQz/iIzvYTtx3+OF8+mOjy0qFX+Zk4KUg6U= ;{id = 42624 (ksk), size = 2048b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=1438110556 ;;Tue Jul 28 15:09:16 2015
    edmonds at chase{0}:~$ 

Hope this helps!

-- 
Robert Edmonds
edmonds at debian.org