lost and found ( for me ? )

Unbound DNSSEC ITAR

[root@arizona unbound]# cat /etc/fedora-release
Fedora release 12 (Constantine)

unbound 1.3.4

ITAR をダウンロード

http://unbound.nlnetlabs.nl/svn/trunk/contrib/update-itar.sh をダウンロード

シェルスクリプト update-itar.sh は PGP key の作成、anchor.mf ( ITAR ) をダウンロードしてくれる。

ためしに実行してみる。

[root@arizona ~]# ./update-itar.sh
creating default IANA ITAR pgp key file
Updating ./anchors.mf

[root@arizona ~]# cat update-itar.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5

mQGiBElr2DcRBAC+6YK6eSP7rzstvnMPQXMrpvVfuIR5FeTpGuwae9JP78V/iOXr
N0yW8Dn6kdAztCMuRizL1Ij9IgaD7pjn8h09VgR4cN4LDv75rcQeWLzNxKy4UNRF

[root@arizona ~]# cat anchors.mf
;
; Interim Trust Anchor Repository
; (Master file format)
;
; See https://itar.iana.org/ for details. This is currently an
; experimental service.
;
; Generated: 2010-01-14 05:45:03.891648
; Serial: 35
;

BG. DS 46846 5 1 1D83F503CCED4A4B6F7F8DB1CF43D38F9133A3EA
CH. DS 54624 7 1 66B273B62A7282590410B4E6831A665A930CC2E9
CZ. DS 7978 5 1 9B6C3898470914CDDA98D0CC001688CB32C17A09

- unbound.conf の修正

trust-anchor-file: "/etc/unbound/anchors.mf"

- シェルスクリプト update-itar.sh を /etc/unbound にコピー

[root@arizona ~]# cp update-itar.sh /etc/unbound/

- PGPの作成、anchors.mf ダウンロード , unbound のリロード

実行前

[root@arizona ~]# cd /etc/unbound/
[root@arizona unbound]# pwd
/etc/unbound
[root@arizona unbound]# ls
unbound.conf unbound_control.key unbound_server.key update-itar.sh
unbound.conf.bak unbound_control.pem unbound_server.pem

実行

[root@arizona unbound]# ./update-itar.sh && unbound-control reload
creating default IANA ITAR pgp key file
Updating ./anchors.mf
ok

実行後

[root@arizona unbound]# ls
anchors.mf unbound_control.key unbound_server.pem
unbound.conf unbound_control.pem update-itar.key
unbound.conf.bak unbound_server.key update-itar.sh

確認。ad ビットがたっている。鍵の validation をパスした。

[root@arizona unbound]# dig @127.1 org SOA +dnssec +multiline

; <<>> DiG 9.6.1-P3-RedHat-9.6.1-16.P3.fc12 <<>> @127.1 org SOA +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1077
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN SOA

;; ANSWER SECTION:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. (
2009012953 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
org. 900 IN RRSIG SOA 7 1 900 20100227030417 (
20100213020417 32114 org.
QeOfzn4qX2d2dJZCtTkfo5ulOO2LQ/F4EfTe7bddfJNr
cUUz+gJbUTCsccbl02nuXUq8UxyWwb/gcj5/ktNIXgtM
bABwFqBCkI2cgNZYdrD4rGGEwwu/TMUdnZG5qHJElq4r
0hbkKHQnZPAMuZS65BiSPtoAejO9y5CT3ZLPZHs= )

;; AUTHORITY SECTION:
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS b0.org.afilias-nst.org.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS c0.org.afilias-nst.info.
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN RRSIG NS 7 1 86400 20100223154523 (
20100209144523 32114 org.
OU7YwbDZm+30Ycqk8vCxCx0hqLPOPhFGfggoNMxtGJMG
SjHYW//Jj557AsS7+LN1T9huJczJsdRA98w36qlKTWZ3
TZeW6YahsJeXScbPd7oBLcKyXOPCkQUxz3g1pVcHjlUU
UCC98BkgUaEHK5VJa1WrrrCvRkVqh47xlDIfhlI= )

このシェルスクリプト便利だなー。

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.