[dns-operations] Root DNSSEC key attestation
Tony Finch
dot at dotat.at
Fri Jul 16 17:05:06 UTC 2010
On Fri, 16 Jul 2010, Christopher J. Pilkington wrote:
>
> Ok, I'm drawing a blank... for the noobs (and the non-noobs who
> just fail miserably), can someone point me to a tool that will
> take the DS and fetch whatever is needed from the root to put
> into a Bind trust anchor?
The process is actually the opposite. BIND requires trust anchors in
DNSKEY format, but IANA publishes them in DS format (the DS being a digest
of the DNSKEY). So you need to fetch the rood DNSKEY using dig, convert it
to a DS using dnssec-dsfromkey, and compare that to the published trust
anchor to verify that you have the correct DNSKEY to add to your BIND
configuration. There's a more detailed explanation at
http://fanf.livejournal.com/107310.html
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
SOUTH BISCAY SOUTH FITZROY: WESTERLY BECOMING VARIABLE OR NORTHERLY 3 OR 4,
OCCASIONALLY 5, BUT 6 LATER IN SOUTHEAST FITZROY. MODERATE OR ROUGH. SHOWERS.
MODERATE OR GOOD.
More information about the dns-operations
mailing list