Edward Lewis via Unbound-users wrote: > unbound-anchor, by default, pulls DNSSEC trust anchors from data.iana.org. > > I am trying to test RFC 5011 capabilities by following these websites: > > http://keyroll.systems > and > http://icksk.dnssek.info/fauxroot.html > > Goal is to run unbound-anchor as a first step before trying to tune > unbound to either of those experiments.
Hi, Ed: IIRC, the HTTPS fetch from data.iana.org in unbound-anchor is a fallback, if the RFC 5011 stuff fails. You still ought to be able to test the RFC 5011 stuff alone, if that's what you're trying to do. I copied the root.db file at the bottom of http://keyroll.systems/current into /tmp/root.db (would be nice if this were downloadable as a separate file), and then tried unbound-anchor with that root zone against the three most recent key files (at the time) from the bottom of http://keyroll.systems/historic: # Most recent key. edmonds@chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+55039.key edmonds@chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key /tmp/root.key has content [1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:16 skipping type SOA [1438110527] libunbound[7108:0] warning: root hints /tmp/root.db:26 skipping type TXT success: the anchor is ok # Second most recent key. edmonds@chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+27079.key edmonds@chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key /tmp/root.key has content [1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:16 skipping type SOA [1438110543] libunbound[7113:0] warning: root hints /tmp/root.db:26 skipping type TXT success: the anchor is ok # Third most recent key. edmonds@chase{0}:~$ curl -so /tmp/root.key http://keyroll.systems/static/K.+008+42496.key edmonds@chase{0}:~$ unbound-anchor -v -r /tmp/root.db -a /tmp/root.key /tmp/root.key has content [1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:16 skipping type SOA [1438110556] libunbound[7118:0] warning: root hints /tmp/root.db:26 skipping type TXT last successful probe: Tue Jul 28 15:09:16 2015 the last successful probe is recent fail: the anchor is NOT ok and could not be fixed edmonds@chase{0}:~$ cat /tmp/root.key ; autotrust trust anchor file ;;REVOKED ; The zone has all keys revoked, and is ; considered as if it has no trust anchors. ; the remainder of the file is the last probe. ; to restart the trust anchor, overwrite this file. ; with one containing valid DNSKEYs or DSes. ;;id: . 1 ;;last_queried: 1438110556 ;;Tue Jul 28 15:09:16 2015 ;;last_success: 1438110556 ;;Tue Jul 28 15:09:16 2015 ;;next_probe_time: 0 ;;Wed Dec 31 19:00:00 1969 ;;query_failed: 0 ;;query_interval: 0 ;;retry_time: 0 . 3600 IN DNSKEY 385 3 8 AwEAAct/IgeZiHmphBTGCJUxJNd1hy9uuqUJFtIsdJgyMr+LLnTjbqXkAF47BskHvSIrlQlIc/SDTDLtUktpM/IVWAjolSsP1+oNYwTi56WwW9nyc+vuJkPG8sxza1p7c7PoTegb2JPPEsmkLGMEDz0kliWHSZkinr9yB1/LxI3SBAYq17Od3CuIAWyU0F0pVxqJwJn/jWI4z1FdSwU9cGhx+/g8FvrnrOkOMyj08g4LlYf5PBpopB+Cz2JNOFa6DRr2WyUuVvbTa9ZnBCOTHcUsaoqVdvs3fihvcdpfWonHm7aJvyUnB3CiUQz/iIzvYTtx3+OF8+mOjy0qFX+Zk4KUg6U= ;{id = 42624 (ksk), size = 2048b} ;;state=4 [ REVOKED ] ;;count=0 ;;lastchange=1438110556 ;;Tue Jul 28 15:09:16 2015 edmonds@chase{0}:~$ Hope this helps! -- Robert Edmonds edmo...@debian.org