How do I get from IANA's root-anchors.xml to managed-keys{}?
Kalman Feher
kalman.feher at melbourneit.com.au
Fri Jul 16 13:00:11 UTC 2010
As a once off I did the following last night. (yes I know the DNSKEY would
have been fine too). anchors2keys worked fine so long as the format was
correct so...
I just cut and pasted the content of :
https://data.iana.org/root-anchors/root-anchors.xml
Zone to delegation, algorithm, digest type and keytag to their corresponding
fields. And digest between the <delegation></delegation> tags. The serial
was last night's root serial, but it has no effect on the conversion
Here was my file contents:
cat root-anchor.xml
<?xml version="1.0"?><zone name="." serial="2010071500"><delegation
name="."><ds algorithm="8" digesttype="2"
keytag="19036">49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8
FB5</ds></delegation></zone>
anchors2keys < root-anchor.xml > root-anchor
Which became:
cat root-anchor
trusted-keys {
".." 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI
0
EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/Q
Zxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hO
A2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8
ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
Yes the script appends the <zone> to the <delegation>. I was too lazy to fix
it in the script. I just changed the resulting trust anchor entry to this:
managed-keys {
. initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI
0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/
QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5h
OA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub
8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
};
include it in named.conf.
Done.
I'll now check Stephane's tool. Which might be more sensible.
On 16/07/10 10:56 AM, "Hauke Lampe" <lampe at hauke-lampe.de> wrote:
>
> Greetings, everyone.
>
> Now that the signed root is finally in production, how do I initialize BIND's
> RFC5011 key management from the XML file published by IANA?
>
> I downloaded the files and checked the PGP signature:
>
> http://data.iana.org/root-anchors/root-anchors.xml
> http://data.iana.org/root-anchors/root-anchors.asc
>
> The XML file contains a DS hash of the root KSK, but BIND needs a public key
> in the managed-keys clause.
>
> Are there any tools to retrieve the DNSKEY and validate it with the hash? Or
> even process the XML directly?
>
> So far I used unbound to bootstrap the key but I am looking for a simpler way.
>
>
>
> Hauke.
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Kal Feher
More information about the bind-users
mailing list