Control: tags -1 + patch Wrote patches to fix default paths to match Debian environment, also remove DLV and correct python-unbound initialization in tlsa: uncomment and use add_ta_file instead of ub_ctx_trustedkeys, which matches the libunbound documentation:
https://unbound.net/documentation/libunbound-tutorial-6.html -- Gerald Turner <[email protected]> Encrypted mail preferred! OpenPGP: 4096R / CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
diff --git a/tlsa b/tlsa
index 692f0f8..7e8fcbc 100755
--- a/tlsa
+++ b/tlsa
@@ -27,9 +27,9 @@ from binascii import a2b_hex, b2a_hex
from hashlib import sha256, sha512
from ipaddr import IPv4Address, IPv6Address
-ROOTKEY="/etc/unbound/root.key"
-DLVKEY="/etc/unbound/dlv.isc.org.key"
-CAFILE='/etc/pki/tls/certs/ca-bundle.crt'
+ROOTKEY="/var/lib/unbound/root.key"
+#DLVKEY="/etc/unbound/dlv.isc.org.key"
+CAFILE='/etc/ssl/certs/ca-certificates.crt'
def genTLSA(hostname, protocol, port, certificate, output='generic', usage=1, selector=0, mtype=1):
"""This function generates a TLSARecord object using the data passed in the parameters,
@@ -130,9 +130,9 @@ def getRecords(hostname, rrtype='A', secure=True):
"""Do a lookup of a name and a rrtype, returns a list of binary coded strings. Only queries for rr_class IN."""
global resolvconf
ctx = unbound.ub_ctx()
- #ctx.add_ta_file(ROOTKEY)
- unbound.ub_ctx_trustedkeys(ctx,ROOTKEY)
- ctx.set_option("dlv-anchor-file:", DLVKEY)
+ ctx.add_ta_file(ROOTKEY)
+ #unbound.ub_ctx_trustedkeys(ctx,ROOTKEY)
+ #ctx.set_option("dlv-anchor-file:", DLVKEY)
# Use the local cache
if resolvconf and os.path.isfile(resolvconf):
ctx.resolvconf(resolvconf)
diff --git a/openpgpkey b/openpgpkey
index ef5b5c4..3c18550 100755
--- a/openpgpkey
+++ b/openpgpkey
@@ -62,8 +62,8 @@ if __name__ == '__main__':
parser.add_argument('--insecure', action='store_true', default=False, help='Allow use of non-dnssec secured answers')
parser.add_argument('--resolvconf', action='store', default='', help='Use a recursive resolver listed in a resolv.conf file (default: /etc/resolv.conf)')
- parser.add_argument('--rootanchor', action='store', default='/var/lib/unbound/root.anchor', help='Location of the unbound compatible DNSSEC root.anchor (default: /var/lib/unbound/root.anchor)')
- parser.add_argument('--rrtype', metavar='rrtype', action='store', default=65280, help='Location of the unbound compatible DNSSEC root.anchor (default: /var/lib/unbound/root.anchor)')
+ parser.add_argument('--rootanchor', action='store', default='/var/lib/unbound/root.key', help='Location of the unbound compatible DNSSEC root.anchor (default: /var/lib/unbound/root.key)')
+ parser.add_argument('--rrtype', metavar='rrtype', action='store', default=65280, help='Location of the unbound compatible DNSSEC root.anchor (default: /var/lib/unbound/root.key)')
parser.add_argument('email', metavar="email")
parser.add_argument('--debug', '-d', action='store_true', help='Print details plus the result of the validation')
@@ -79,7 +79,7 @@ if __name__ == '__main__':
global ctx
ctx = unbound.ub_ctx()
resolvconf = "/etc/resolv.conf"
- rootanchor = "/var/lib/unbound/root.anchor"
+ rootanchor = "/var/lib/unbound/root.key"
dlvkey = "/etc/unbound/dlv.isc.org.key"
if args.resolvconf:
pgpo1BlKFzrm3.pgp
Description: PGP signature
