On Fri, Jul 16, 2010 at 06:16:13PM +0900, Kazunori Fujiwara <fujiw...@wide.ad.jp> wrote a message of 25 lines which said:
> You can check root DNSKEY RR and root-anchors.xml > using dig and dnssec-dsfromkey. Good idea and here is a Makefile and a XSLT script which automates the whole thing. Bug reports welcome.
KEYFLAGS=257
HASHALG=2 # For dnssec-dsfromkey
all: root-anchors.txt root-anchors.dnskey
root-anchors.txt: root-anchors.xml
xsltproc -o root-anchors.txt anchors2ds.xsl root-anchors.xml
root-anchors.xml:
wget -nc https://data.iana.org/root-anchors/root-anchors.xml
wget -nc https://data.iana.org/root-anchors/root-anchors.asc
gpg --verify root-anchors.asc root-anchors.xml || \
rm -f root-anchors.asc root-anchors.xml
root-anchors.dnskey: root-anchors.txt
dig DNSKEY . | grep -w ${KEYFLAGS} > untrusted.key
# Verify the key
# Thanks to Kazunori Fujiwara for the idea
dnssec-dsfromkey -${HASHALG} untrusted.key > untrusted.ds
cut -d' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp
cut -d' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >>
root-anchors.tmp
echo >> root-anchors.tmp
@diff root-anchors.txt root-anchors.tmp || \
sh -c 'echo "Invalid DNSKEY, deleting temporary files"; rm -f
root-anchors.tmp untrusted.key untrusted.ds'
awk '{print $$1 " " $$5 " " $$6 " " $$7 " " "\""; for (i = 8; i <=
NF; i++) printf $$i " "; print "\";" }' untrusted.key > root-anchors.dnskey
@echo "OK, root-anchors.dnskey is correct"
clean:
rm -f root-anchors.txt untrusted.key untrusted.ds root-anchors.tmp
realclean: clean
rm -f root-anchors.xml root-anchors.asc
anchors2ds.xsl
Description: XML document
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
