BLog

ImprintImpressum
PrivacyDatenschutz
DisclaimerHaftung
Downloads 

Securely update unbound’s root zones

In order nobody can manipulate the DNS resolver of our FreeBSD server, unbound's root zone hints need to be updated securely as follows:

#!/bin/sh

## Updating the root zones
rm -f /tmp/root-hints.md5 /tmp/root-hints.sig /tmp/root-hints.zones
/usr/bin/fetch -o /tmp/root-hints.md5   https://www.internic.net/domain/named.cache.md5
/usr/bin/fetch -o /tmp/root-hints.sig   https://www.internic.net/domain/named.cache.sig
/usr/bin/fetch -o /tmp/root-hints.zones https://www.internic.net/domain/named.cache
if [ -f /tmp/root-hints.md5 ] && [ -f /tmp/root-hints.sig ] && [ -f /tmp/root-hints.zones ]; then
   author_md5=`/bin/cat /tmp/root-hints.md5`
   actual_md5=`/sbin/md5 -q /tmp/root-hints.zones`
   if [ "$author_md5" == "$actual_md5" ]; then
      echo 1 | /usr/local/bin/gpg --keyserver hkps://hkps.pool.sks-keyservers.net --keyserver-options ca-cert-file=/root/certs/sks-keyservers.netCA.pem --no-tty --command-fd=0 --search-keys nstld@verisign-grs.com  > /dev/null 2>&1
      if [ $? == 0 ]; then
         /usr/local/bin/gpg --verify /tmp/root-hints.sig /tmp/root-hints.zones > /dev/null 2>&1
         if [ $? == 0 ]; then
            /bin/mv /tmp/root-hints.zones /var/unbound/root-hints.zones && /usr/sbin/service local_unbound restart
         fi
      fi
   fi
fi
rm -f /tmp/root-hints.md5 /tmp/root-hints.sig /tmp/root-hints.zones

I use security/gnupg1 here because the installation is more lightweight and compared to version 2, this one is designed to be used on the CLI.

On my home server this script becomes executed by a cron job once per month. The TLS certificate of the SKS pool needs to be downloaded separately:

fetch -o /root/certs/sks-keyservers.netCA.pem https://sks-keyservers.net/sks-keyservers.netCA.pem

The current one will expire on Oct 7 00:33:37 2022 GMT.

openssl x509 -in /root/certs/sks-keyservers.netCA.pem -noout -text:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            af:73:c8:b4:cf:9f:80:8f
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NO, ST=Oslo, O=sks-keyservers.net CA, CN=sks-keyservers.net CA
        Validity
            Not Before: Oct  9 00:33:37 2012 GMT
            Not After : Oct  7 00:33:37 2022 GMT
        Subject: C=NO, ST=Oslo, O=sks-keyservers.net CA, CN=sks-keyservers.net CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d7:6c:5b:2e:0f:5d:63:54:0a:44:b7:2f:ff:e7:
                    ad:dd:06:a8:dd:dd:57:0a:01:19:9e:b0:f7:84:f0:
                    da:33:c3:3e:27:de:83:0c:50:a3:31:57:90:6e:88:
                    e8:0e:13:2b:50:89:2d:73:ef:7f:3d:14:3f:46:81:
                    63:23:e6:4c:d6:9d:0e:29:da:07:d4:f8:8c:8c:1d:
                    e2:b9:f1:97:ee:7d:1a:21:26:aa:43:77:21:f3:ec:
                    bf:92:63:32:42:94:98:99:ef:39:3d:03:11:59:44:
                    68:ed:54:64:8c:31:e5:6a:5f:a6:b0:77:99:1f:35:
                    fe:a9:b8:5e:40:20:99:8a:e6:82:72:d7:77:fa:49:
                    0c:03:24:ef:2d:45:e3:96:f9:cd:6a:1f:88:3e:65:
                    eb:be:e5:a6:57:08:3d:16:c5:86:92:7a:90:34:ce:
                    0d:78:7f:5c:47:6d:17:bd:44:01:e6:8e:74:41:8e:
                    bf:21:83:98:23:b4:19:6a:92:14:39:0c:30:f4:e5:
                    89:e2:c0:ff:4a:e0:15:37:33:e3:1c:14:62:3f:dc:
                    0f:97:b4:64:1b:92:91:8b:18:14:05:37:85:dd:5c:
                    19:f0:6e:7b:47:0f:65:a4:07:d8:76:31:42:4e:33:
                    5c:3f:12:dc:5e:3a:f7:47:d1:86:bf:ad:92:2e:60:
                    c8:6e:89:0d:1e:bb:68:aa:77:04:81:8b:aa:6e:df:
                    e3:95:a4:5f:58:58:a7:e6:17:cb:09:84:ce:23:38:
                    69:26:c6:62:1c:7c:86:81:46:7e:af:54:71:f3:c4:
                    be:9d:9a:a1:cf:2e:e6:c7:6a:8c:3b:25:87:25:33:
                    33:5b:f7:9b:76:46:6e:1c:04:3a:75:63:96:36:3a:
                    24:92:f1:33:16:a0:c6:76:59:48:06:38:db:86:59:
                    de:de:f5:13:f3:27:db:b7:66:db:0f:b1:15:1b:a8:
                    cb:c2:44:8e:fd:5d:f8:14:f7:78:28:4c:e4:a6:8d:
                    c2:b8:f4:20:ef:f2:bb:c9:05:22:05:98:03:5b:d9:
                    ff:5e:6a:31:3f:ad:c8:94:df:ca:b3:55:57:fe:c3:
                    7f:b4:cd:79:6c:8d:aa:32:79:ac:19:ad:d0:ce:8d:
                    a4:71:bb:0a:b5:12:90:1c:bd:a7:c2:61:8a:68:23:
                    3f:9a:f4:16:51:24:82:0f:a5:c8:3f:95:ef:d1:fd:
                    f2:04:1f:56:03:f7:a5:b2:48:0b:3d:12:a4:14:1f:
                    d8:5f:f6:b7:24:b8:ac:b9:be:e3:da:cf:7d:c3:9a:
                    8e:25:c4:bb:28:69:72:6c:e0:ba:c0:23:ff:51:63:
                    ae:d9:72:9c:7d:6b:f6:69:cd:69:7e:1e:fa:b2:d6:
                    ce:f5:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                E4:C3:2A:09:14:67:D8:4D:52:12:4E:93:3C:13:E8:A0:8D:DA:B6:F3
            X509v3 Authority Key Identifier:
                keyid:E4:C3:2A:09:14:67:D8:4D:52:12:4E:93:3C:13:E8:A0:8D:DA:B6:F3

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
         11:39:79:d8:c2:ed:e0:d5:98:c7:ca:57:b2:dd:f6:48:e5:a2:
         cf:b1:a1:35:ed:c3:88:99:54:de:84:2f:03:70:8a:61:9b:61:
         ce:31:1f:e1:61:34:cb:f9:5d:06:e0:ff:ae:80:7f:ba:c5:e4:
         4b:29:21:cc:1d:94:ed:48:12:1a:e8:60:cb:d3:7e:37:e3:2f:
         42:06:ec:06:bc:01:42:31:4d:86:57:cc:3d:db:f6:7b:6a:99:
         00:85:d2:d3:a1:90:3f:5f:f8:96:3f:68:de:69:52:61:c6:01:
         1c:1f:cb:8f:ae:74:a5:aa:83:c1:70:a0:bd:3e:b8:14:cd:06:
         1f:49:92:64:2e:60:7e:de:31:1a:dc:72:ab:bb:2d:5a:6c:93:
         f9:80:07:50:bf:0b:dc:3e:9b:d8:46:72:33:51:cf:5f:64:e0:
         ec:56:69:47:54:50:42:97:67:65:bb:f8:87:87:68:78:1a:62:
         f8:0d:ad:ab:46:45:0c:95:b5:53:76:2a:01:51:82:2f:33:27:
         1d:3a:4a:47:e7:02:5f:b7:3c:3b:72:98:ec:b9:d1:9a:b3:43:
         c0:44:35:c2:15:f1:b2:2a:1c:01:44:56:3b:5e:9e:e5:6e:3b:
         54:e5:1c:f4:19:cd:38:94:fa:e1:0d:fd:29:14:4f:7c:03:0e:
         23:25:1a:45:79:63:23:a5:75:04:68:6d:5c:ab:b0:fa:e3:54:
         69:81:c3:1f:3c:5b:ce:1d:8e:3b:ae:f0:d3:4b:b5:c9:39:a5:
         13:07:04:63:98:3b:7c:f7:ab:3a:bc:c0:dc:68:6f:ee:5c:96:
         d0:8e:ec:e6:9b:1d:d6:d8:87:72:87:7b:39:48:8d:06:4c:76:
         f4:23:03:0a:61:be:1e:05:42:29:40:e9:c1:70:4e:fb:56:70:
         98:a8:ab:cd:d4:d5:58:02:a8:56:8d:76:d8:ed:76:ac:66:fb:
         33:09:17:0e:1b:e5:b7:16:a3:5a:1c:e2:bf:9f:fd:2e:79:bd:
         2e:8a:37:4b:6a:7f:94:7f:8a:75:6e:36:c0:a3:1f:1e:00:e4:
         12:ff:c6:b7:6f:39:09:cd:dc:81:35:42:86:c7:50:48:2b:62:
         01:2f:d6:e7:fc:7a:da:bd:20:ce:88:d4:52:9d:9f:d1:de:5f:
         46:65:ab:97:d2:db:bb:20:80:e5:44:22:0b:5d:2c:9e:6b:3b:
         b4:6a:3f:ef:75:3d:d8:15:05:cf:72:fb:79:16:47:f9:c2:23:
         53:a3:9d:df:ef:6f:e3:60:42:5d:ea:aa:61:5a:ba:68:2a:aa:
         f0:1b:04:e9:45:40:8c:85:82:14:b7:ae:61:b1:3c:42:88:92:
         79:9c:a7:b7:f6:1e:3a:b2

Copyright © Dr. Rolf Jansen - 2018-04-16 17:35:08

PROMOTION