[Unbound-users] Validating the root: translation of ICANN XML file

[=JeffH]

 > As the root is signed with RSA/SHA-256, you need BIND 9.6.2 or later to
 > validate signatures.

thanks for the hint. rather than muck with my (stock) ubuntu system's DNS 
underpinnings/tools, I noticed that the ldns tools I have also address this and 
tried this in the Makefile rather than dnssec-dsfromkey..

   ldns-key2ds -${HASHALG} -n untrusted.key > untrusted.ds

..which worked.

However, my awk and cut (or something) must be different than Stephane's 
because I couldn't get the stuff after the dnssec-dsfromkey/ldns-key2ds parts 
in the Makefile to work, even hacking around by hand.

However, Leen's "rootanchor2keys.pl" 
<http://unbound.nlnetlabs.nl/pipermail/unbound-users/2010-July/001267.html> 
apparently did the trick..


 > wget -q -O- https://data.iana.org/root-anchors/root-anchors.xml | 
./rootanchor2keys.pl -
/* created by ./rootanchor2keys.pl at 2010-08-25T19:21:51 */
trusted-keys {
/* id="Kjqmt7v", keytag=19036 */
"." 257 3 8
   "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0
    EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/Q
    Zxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hO
    A2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8
    ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};


Now, it apparently is printing to stdout what the Makefile would have output as 
root-anchors.dnskey, yes?


My interest in getting the root-anchor set up on my system at this time is to 
be able to use ldns tools such as drill et al -- so do i need to produce a 
root-anchors.mkey ("managed keys"?) file also? and how does it differ 
syntactically from the above ?

and also, where do I need to place these files such that the ldns tools such as 
drill et al will find them ?


thanks for the help,

=JeffH