[Unbound-users] Using the ITAR
wouter at NLnetLabs.nl
Thu Feb 19 15:24:36 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
The new IANA ITAR provides trust anchors for TLDs (se, br, cz and more),
and with the IANA providing strong verification - using their existing
contacts with the operators of those zones - I was thinking it would be
nice to use it with the unbound validator.
When the list of anchors grows, you need an automated way to pick up
changes. I've made such a script, and set it up for us locally. I
hope it can be useful for you too.
(these hashes are so that my pgp key signs the hashes, so you can trust
the pgp public key for the ITAR inside the script)
How does it work:
Fetches the key file and verifies the contents with the IANA ITAR public
PGP key. Prints differences (so changes are visible in cron mail).
You can configure it to use other PGP keys or trust anchor repositories,
simply edit the shell file variables at the top. The PGP key for IANA
ITAR comes distributed and is used by default. It picks up new keys,
removed keys, or even if all keys are removed a zone goes back to
unsigned (if the zone decides to go back to unsigned).
How to install it:
Assuming your unbound works in /usr/local/etc/unbound
Install the script, copy it to /usr/local/etc/unbound/update-itar.sh.
In your unbound.conf edit the following line
You can keep your existing trust anchor definitions if you want, they
only add new trust, and do not remove it.
Try the script manually, as root do:
$ cd /usr/local/etc/unbound
This should work and unbound-checkconf should have no errors.
Then you can do unbound-control reload.
Now make a cron job that does:
cd /usr/local/etc/unbound; ./update-itar.sh && unbound-control reload
Then you can dig cz SOA +dnssec, and see if the ad flag is there.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Unbound-users