[root@arizona unbound]# cat /etc/fedora-release
Fedora release 12 (Constantine)
unbound 1.3.4
ITAR をダウンロード
http://unbound.nlnetlabs.nl/svn/trunk/contrib/update-itar.sh をダウンロード
シェルスクリプト update-itar.sh は PGP key の作成、anchor.mf ( ITAR ) をダウンロードしてくれる。
ためしに実行してみる。
[root@arizona ~]# ./update-itar.sh
creating default IANA ITAR pgp key file
Updating ./anchors.mf
[root@arizona ~]# cat update-itar.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5
mQGiBElr2DcRBAC+6YK6eSP7rzstvnMPQXMrpvVfuIR5FeTpGuwae9JP78V/iOXr
N0yW8Dn6kdAztCMuRizL1Ij9IgaD7pjn8h09VgR4cN4LDv75rcQeWLzNxKy4UNRF
[root@arizona ~]# cat anchors.mf
;
; Interim Trust Anchor Repository
; (Master file format)
;
; See https://itar.iana.org/ for details. This is currently an
; experimental service.
;
; Generated: 2010-01-14 05:45:03.891648
; Serial: 35
;
BG. DS 46846 5 1 1D83F503CCED4A4B6F7F8DB1CF43D38F9133A3EA
CH. DS 54624 7 1 66B273B62A7282590410B4E6831A665A930CC2E9
CZ. DS 7978 5 1 9B6C3898470914CDDA98D0CC001688CB32C17A09
- unbound.conf の修正
trust-anchor-file: "/etc/unbound/anchors.mf"
- シェルスクリプト update-itar.sh を /etc/unbound にコピー
[root@arizona ~]# cp update-itar.sh /etc/unbound/
- PGPの作成、anchors.mf ダウンロード , unbound のリロード
実行前
[root@arizona ~]# cd /etc/unbound/
[root@arizona unbound]# pwd
/etc/unbound
[root@arizona unbound]# ls
unbound.conf unbound_control.key unbound_server.key update-itar.sh
unbound.conf.bak unbound_control.pem unbound_server.pem
実行
[root@arizona unbound]# ./update-itar.sh && unbound-control reload
creating default IANA ITAR pgp key file
Updating ./anchors.mf
ok
実行後
[root@arizona unbound]# ls
anchors.mf unbound_control.key unbound_server.pem
unbound.conf unbound_control.pem update-itar.key
unbound.conf.bak unbound_server.key update-itar.sh
確認。ad ビットがたっている。鍵の validation をパスした。
[root@arizona unbound]# dig @127.1 org SOA +dnssec +multiline
; <<>> DiG 9.6.1-P3-RedHat-9.6.1-16.P3.fc12 <<>> @127.1 org SOA +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1077
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;org. IN SOA
;; ANSWER SECTION:
org. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. (
2009012953 ; serial
1800 ; refresh (30 minutes)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
org. 900 IN RRSIG SOA 7 1 900 20100227030417 (
20100213020417 32114 org.
QeOfzn4qX2d2dJZCtTkfo5ulOO2LQ/F4EfTe7bddfJNr
cUUz+gJbUTCsccbl02nuXUq8UxyWwb/gcj5/ktNIXgtM
bABwFqBCkI2cgNZYdrD4rGGEwwu/TMUdnZG5qHJElq4r
0hbkKHQnZPAMuZS65BiSPtoAejO9y5CT3ZLPZHs= )
;; AUTHORITY SECTION:
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS b0.org.afilias-nst.org.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS c0.org.afilias-nst.info.
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN RRSIG NS 7 1 86400 20100223154523 (
20100209144523 32114 org.
OU7YwbDZm+30Ycqk8vCxCx0hqLPOPhFGfggoNMxtGJMG
SjHYW//Jj557AsS7+LN1T9huJczJsdRA98w36qlKTWZ3
TZeW6YahsJeXScbPd7oBLcKyXOPCkQUxz3g1pVcHjlUU
UCC98BkgUaEHK5VJa1WrrrCvRkVqh47xlDIfhlI= )
このシェルスクリプト便利だなー。
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.