On 30 Nov 2016, at 14:49, John Levine wrote:
In article <alpine.deb.2.02.1611301658190.3...@uplift.swm.pp.se> you
write:
On Wed, 30 Nov 2016, Matt Larson wrote:
Did you see my message earlier in the thread? Is there a reason you
don't include a third option: retrieving the trust anchor file
published
by IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml)
and
validating with the detached S/MIME signature published in the same
place (https://data.iana.org/root-anchors/root-anchors.p7s)? That
signature chains to the ICANN CA cert, which currently expires in
2029.
Sure, it's more code, but it can all be done with OpenSSL, for
example.
This sunds like a workable solution.
It would be great if ICANN could write a document outlining how to do
this and perhaps even provide FOSS example code.
$ wget https://data.iana.org/root-anchors/root-anchors.xml
$ wget https://data.iana.org/root-anchors/root-anchors.p7s
$ openssl smime -verify -in root-anchors.p7s -inform der -content
root-anchors.xml -noverify
If you have the ICANN CA cert lying around, replace -noverify with
-CAfile <cacertfile>
As stated earlier today, there is such a tool at
<https://github.com/kirei/dnssec-ta-tools/tree/master/get_trust_anchor>.
It has a few more steps than what you listed here, namely ones to
actually validate that the KSK in the root zone matches the one in the
root-anchors.xml file, and that the contents of the file are sane.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
