From: Wouter Wijngaards Date: Thu, 19 Feb 2009 10:38:51 +0000 (+0000) Subject: update-itar.sh update script from itar.iana.org X-Git-Tag: release-1.3.0~135 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b67ed831491e89e8b073bcda07d47d1ef7b9cfd8;p=thirdparty%2Funbound.git update-itar.sh update script from itar.iana.org git-svn-id: file:///svn/unbound/trunk@1488 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/contrib/README b/contrib/README index 203360509..4c5458c82 100644 --- a/contrib/README +++ b/contrib/README @@ -7,5 +7,6 @@ distribution but may be helpful. * unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile. * update-anchor.sh: shell script that uses unbound-host to update a set of trust anchor files. Run from cron twice a month. +* update-itar.sh: shell script that updates from itar.iana.org. Run from cron. * unbound_munin_ : plugin for munin statistics report * selinux: the .fc and .te files for SElinux protection of the unbound daemon diff --git a/contrib/update-itar.sh b/contrib/update-itar.sh new file mode 100755 index 000000000..ddc8828e3 --- /dev/null +++ b/contrib/update-itar.sh @@ -0,0 +1,123 @@ +#!/bin/sh +# update-itar.sh - update from the interim trust anchor repository +# Copyright 2009, W.C.A. Wijngaards +# This file is BSD licensed, see doc/LICENSE. + +# --- Some settings + +# directory where unbound works +thedir="." +# where is the file that unbound is going to read +ub_ta_file="$thedir/anchors.mf" +# where is the itar master file format +itar_url="https://itar.iana.org/anchors/anchors.mf" +# where is the itar PGP signature +itar_sig="https://itar.iana.org/anchors/anchors.mf.sig" + +# which command to fetch urls, cmd $dest $url. "wget -O" "curl -o" +fetch_cmd="wget -O" +# file with pgp public key +pgp_pub_key_file="$thedir/update-itar.key" +# our pgp keyring (goes into .gnupg directory) +pgp_keyring_file="update-itar.ring" +# pgp command to use +pgp_cmd="gpg" + + +# --- The script is below +usage ( ) +{ + echo "usage: update-itar" + echo " updates the trust anchors from the interim trust" + echo " anchor repository." + echo + echo " Updates $ub_ta_file with the latest keys" + echo " read that file from the unbound config with" + echo " trust-anchor-file: "'"'"$ub_ta_file"'"' + echo + echo " Exit code 0 means anchors updated, 1 no changes, " + echo " others are errors. So, in a cronjob you can do:" + echo " cd /usr/local/etc/unbound # your unbound work dir" + echo " update-itar.sh && unbound-control reload" + exit 2 +} + +if test $# -ne 0; then + usage +fi +tmpf="/tmp/update-itar.$$" + +# one argument: explanation string +error_exit ( ) +{ + if test -f $tmpf.log; then cat $tmpf.log; fi + rm -f $tmpf $tmpf.sig $tmpf.log + echo "Error updating trust anchors: $1" + exit 2 +} + +if test ! -f $pgp_pub_key_file || test ! -f $HOME/.gnupg/$pgp_keyring_file || \ + test "$pgp_pub_key_file" -nt $HOME/.gnupg/$pgp_keyring_file; then + # default key contents right here + if test ! -f $pgp_pub_key_file; then + echo "creating default IANA ITAR pgp key file" + cat >$pgp_pub_key_file <$tmpf.log 2>&1 || error_exit "could not import pgp public key into keyring" +fi + +$fetch_cmd $tmpf $itar_url >$tmpf.log 2>&1 \ + || error_exit "fetching $itar_url failed" +tail -2 $tmpf | grep "; End of file" >/dev/null 2>&1 || \ + error_exit "The file fetched from $itar_url was partial" +$fetch_cmd $tmpf.sig $itar_sig >$tmpf.log 2>&1 \ + || error_exit "fetching $itar_sig failed" + +# check the file with pgp +$pgp_cmd --no-default-keyring --keyring $pgp_keyring_file --verify $tmpf.sig $tmpf >$tmpf.log 2>&1 || error_exit "the PGP signature failed!" + +# check for differences +val=0 +if diff "$ub_ta_file" $tmpf; then + # echo "The interim trust anchor repository did not change." + : +else + echo "Updating $ub_ta_file" + cp $tmpf $ub_ta_file + val=1 +fi + +rm -f $tmpf $tmpf.sig $tmpf.log +exit $val diff --git a/doc/Changelog b/doc/Changelog index d57a1f444..7859ad403 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,10 @@ 19 February 2009: Wouter - unbound-checkconf and unbound print warnings when trust anchors have unsupported algorithms. + - added contrib/update-itar.sh This script is similar to + update-anchor.sh, and updates from the IANA ITAR repository. + You can provide your own PGP key and trust repo, or can use the + builtin. The program uses wget and gpg to work. 18 February 2009: Wouter - more cycle detection. Also for target queries.