DNSSEC Key Generation for .nz, request for cooperation
Dear Community, According to our schedule, this Friday November 18th, we will be running the Key Generation Procedure to create the keys to sign .nz For this procedure, we will be using a customized Ubuntu Live CD to start the laptop that will serve as console. We'd like to ask you to download the ISO file to be used to create the Live CD, generate the SHA256 checksum and post it back to the mailing list. During the procedure, we will compare the digest posted to the list, with the digest generated in the laptop. The purpose of this is two-fold: use a different set of binaries to create the digest, to make sure our tools haven't been tampered, and to give the option to the community to review the ISO and see we are using standard tools for the job. The ISO is located at https://secure.nzrs.net.nz/sites/default/files/NZRS-Custom-Live-CD-v1.6.iso NOTE: On a Unix machine, you can generate the sha256 checksum using sha256sum NZRS-Custom-Live-CD-v1.6.iso or openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso Thanks for your help, Kind Regards -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535
On Tue, 15 Nov 2011 09:04:27 Sebastian Castro wrote:
For this procedure, we will be using a customized Ubuntu Live CD to start the laptop that will serve as console. We'd like to ask you to download the ISO file to be used to create the Live CD, generate the SHA256 checksum and post it back to the mailing list. During the procedure, we will compare the digest posted to the list, with the digest generated in the laptop.
sha256sum NZRS-Custom-Live-CD-v1.6.iso
f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS-Custom- Live-CD-v1.6.iso
openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso
SHA256(NZRS-Custom-Live-CD-v1.6.iso)= f0:c1:51:a8:3a:4c:b3:ac:3d:26:16:f7:54:76:0e:78:ba:47:5e:5a:12:4d:67:43:4b:c5:75:6e:26:19:3c:d3 --David
Great idea.
$ sha256sum NZRS-Custom-Live-CD-v1.6.iso
f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3
NZRS-Custom-Live-CD-v1.6.iso
On Tue, Nov 15, 2011 at 9:04 AM, Sebastian Castro
Dear Community,
According to our schedule, this Friday November 18th, we will be running the Key Generation Procedure to create the keys to sign .nz
For this procedure, we will be using a customized Ubuntu Live CD to start the laptop that will serve as console. We'd like to ask you to download the ISO file to be used to create the Live CD, generate the SHA256 checksum and post it back to the mailing list. During the procedure, we will compare the digest posted to the list, with the digest generated in the laptop.
The purpose of this is two-fold: use a different set of binaries to create the digest, to make sure our tools haven't been tampered, and to give the option to the community to review the ISO and see we are using standard tools for the job.
The ISO is located at https://secure.nzrs.net.nz/sites/default/files/NZRS-Custom-Live-CD-v1.6.iso
NOTE: On a Unix machine, you can generate the sha256 checksum using
sha256sum NZRS-Custom-Live-CD-v1.6.iso
or
openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso
Thanks for your help,
Kind Regards -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
This is a great initiative, from your description of the tools employed,
I'm in full favour.
On 15 November 2011 09:04, Sebastian Castro
sha256sum NZRS-Custom-Live-CD-v1.6.iso
f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS-Custom-Live-CD-v1.6.iso Thanks, -- Mark Goldfinch | Systems Team Leader MODICA GROUP nz: +64 4 498 6000 *THIS MONTH* - Move to one of our shared hosting plans now and get up to 2 months hosting free. * Conditions apply. Email sales(a)modicagroup.com for more info.
$ sha256sum NZRS-Custom-Live-CD-v1.6.iso f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS-Custom-Live-CD-v1.6.iso $ openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso SHA256(NZRS-Custom-Live-CD-v1.6.iso)= f0:c1:51:a8:3a:4c:b3:ac:3d:26:16:f7:54:76:0e:78:ba:47:5e:5a:12:4d:67:43:4b:c5:75:6e:26:19:3c:d3 Cheers On Tue, 15 Nov 2011, Sebastian Castro wrote:
Dear Community,
According to our schedule, this Friday November 18th, we will be running the Key Generation Procedure to create the keys to sign .nz
For this procedure, we will be using a customized Ubuntu Live CD to start the laptop that will serve as console. We'd like to ask you to download the ISO file to be used to create the Live CD, generate the SHA256 checksum and post it back to the mailing list. During the procedure, we will compare the digest posted to the list, with the digest generated in the laptop.
The purpose of this is two-fold: use a different set of binaries to create the digest, to make sure our tools haven't been tampered, and to give the option to the community to review the ISO and see we are using standard tools for the job.
The ISO is located at https://secure.nzrs.net.nz/sites/default/files/NZRS-Custom-Live-CD-v1.6.iso
NOTE: On a Unix machine, you can generate the sha256 checksum using
sha256sum NZRS-Custom-Live-CD-v1.6.iso
or
openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso
Thanks for your help,
Kind Regards -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2011-11-15 09:04 , Sebastian Castro wrote:
The ISO is located at
https://secure.nzrs.net.nz/sites/default/files/NZRS-Custom-Live-CD-v1.6.iso
[....] sha256sum NZRS-Custom-Live-CD-v1.6.iso
f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS-Custom-Live-CD-v1.6.iso
openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso
SHA256(NZRS-Custom-Live-CD-v1.6.iso)= f0:c1:51:a8:3a:4c:b3:ac:3d:26:16:f7:54:76:0e:78:ba:47:5e:5a:12:4d:67:43:4b:c5:75:6e:26:19:3c:d3 FWIW, file mirrored here: http://public.naos.co.nz/nzrs/NZRS-Custom-Live-CD-v1.6.iso (at least until I get bored and decide to tidy up, or my host complains about too many people downloading it and using up all the bandwidth!) Ewen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (Darwin) iQIcBAEBCAAGBQJOwYE7AAoJEP5Id3NYbJIakF4P/0PjdzPV2Ah4QvwYnW/gzrx9 yTUFI9xh+taq2HKxyu8e4a/mhrvdCfpeF/3gs1mMoHKjhFiUF3VJneO6W7tSL6WD rvMhHl1eQK2YRe3yiMRCLWCSAwSPZNObiLus+TR0KiSnLu2kLt81gG3bYdkbXSiV lu3gliguSULi/vhMXzHksMOaSzqMwglpA1sQPYUENg4KEvqDYEsyGiDUxgcRI8EC /pSSwlfB7BXzhbUhvt6Lz/E2JtuZeofzUhysriSv6M4s7iX9mznQw+olN65weAaS QbBkNnCQgojSKtFdsR7XYgVigX1Z4jx3+YhVZY1euhQhtq3kyUf/SvHlILymicgV 45eDah6BrhyeB6EuD1itgexTXBo/rM7K0oHLTY2ky6+GKRSj83T7OSn3kMBHXA+z KqTX68QGirzIn83TsNvqkfd/BnrzN+wAAEryn5ljvvoFKYb9WFm8AU9WFvBs8/kE GZet33ZSWfdPMC/qCEAumltcU0se/pi6Q+aM7bTLlHr/v1HsJ1Cz0Hqndab3Z2yl YvTElyz+JOLHvryUFw8yBSCNfZ4n6WMxwa0oCGcLqXhfgQjapit9fiTQ4Z4a3sde 1qeE4MJSeaxk9vXsAudP2mEz93QGzv2kSwFEU59J5+TvMZwsEQqHFlhwODb+NxL2 idNvhbVyeI8+OqixB3Z+ =PwLZ -----END PGP SIGNATURE-----
On 2011-11-15 10:02 , Ewen McNeill wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 [....] http://public.naos.co.nz/nzrs/NZRS-Custom-Live-CD-v1.6.iso
Sadly, as I suspected might happen, either Thunderbird or the mailing list software changed the the cleartext after the signing (outside Thunderbird), so the signature fails (clearly the long lines needed to be wrapped/canonicalised first). A version of that message which does verify is here: http://public.naos.co.nz/nzrs/NZRS-Custom-Live-CD-v1.6.signature (ie, right next to the mirrored file). Ewen PS: I figured _someone_ should invoke the use of actual crypto to timestamp the verification...
On 15/11/11 10:11, Ewen McNeill wrote:
On 2011-11-15 10:02 , Ewen McNeill wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 [....] http://public.naos.co.nz/nzrs/NZRS-Custom-Live-CD-v1.6.iso
Sadly, as I suspected might happen, either Thunderbird or the mailing list software changed the the cleartext after the signing (outside Thunderbird), so the signature fails (clearly the long lines needed to be wrapped/canonicalised first). A version of that message which does verify is here:
http://public.naos.co.nz/nzrs/NZRS-Custom-Live-CD-v1.6.signature
Thank for that Ewen, I confirmed the message validates. We should have a PGP key signing party at some point (perhaps during next NZNOG) to set trust of our keys.
(ie, right next to the mirrored file).
Ewen
PS: I figured _someone_ should invoke the use of actual crypto to timestamp the verification... _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 # ls -l NZRS-Custom-Live-CD-v1.6.iso - -rw-r--r--@ 1 asjl asjl 613691392 15 Nov 10:47 NZRS-Custom-Live-CD-v1.6.iso # openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso SHA256(NZRS-Custom-Live-CD-v1.6.iso)= f0:c1:51:a8:3a:4c:b3:ac:3d:26:16:f7:54:76:0e:78:ba:47:5e:5a:12:4d:67:43:4b:c5:75:6e:26:19:3c:d3 # shasum -a 256 NZRS-Custom-Live-CD-v1.6.iso f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS-Custom-Live-CD-v1.6.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFOwY09kNpmQ2ketuURAn1AAJ9NQ07omCZuhwTRiFa6w+99N+Z5uQCg+rlf 0k7t36Y8cDao5Fp/zXUD+Yk= =qZ7L -----END PGP SIGNATURE-----
On Tue, Nov 15, 2011 at 09:04, Sebastian Castro
The ISO is located at https://secure.nzrs.net.nz/sites/default/files/NZRS-Custom-Live-CD-v1.6.iso
sha256sum NZRS-Custom-Live-CD-v1.6.iso
f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 /media/TOSHIBA /NZRS-Custom-Live-CD-v1.6.iso
openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso
SHA256(/media/TOSHIBA/NZRS-Custom-Live-CD-v1.6.iso)= f0:c1:51:a8:3a:4c:b3:ac:3d: 26:16:f7:54:76:0e:78:ba:47:5e:5a:12:4d:67:43:4b:c5:75:6e:26:19:3c:d3
Sebastian Castro
Hamish. --
$ sha256sum NZRS-Custom-Live-CD-v1.6.iso f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS-Custom-Live-CD-v1.6.iso Jonathon -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Sebastian Castro Sent: Tuesday, 15 November 2011 9:04 a.m. To: nznog Subject: [nznog] DNSSEC Key Generation for .nz, request for cooperation Dear Community, According to our schedule, this Friday November 18th, we will be running the Key Generation Procedure to create the keys to sign .nz For this procedure, we will be using a customized Ubuntu Live CD to start the laptop that will serve as console. We'd like to ask you to download the ISO file to be used to create the Live CD, generate the SHA256 checksum and post it back to the mailing list. During the procedure, we will compare the digest posted to the list, with the digest generated in the laptop. The purpose of this is two-fold: use a different set of binaries to create the digest, to make sure our tools haven't been tampered, and to give the option to the community to review the ISO and see we are using standard tools for the job. The ISO is located at https://secure.nzrs.net.nz/sites/default/files/NZRS-Custom-Live-CD-v1.6.iso NOTE: On a Unix machine, you can generate the sha256 checksum using sha256sum NZRS-Custom-Live-CD-v1.6.iso or openssl dgst -c -sha256 NZRS-Custom-Live-CD-v1.6.iso Thanks for your help, Kind Regards -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog This email and attachments: are confidential; may be protected by privilege and copyright; if received in error may not be used, copied, or kept; are not guaranteed to be virus-free; may not express the views of Kordia(R); do not designate an information system; and do not give rise to any liability for Kordia(R).
On Tue, 15 Nov 2011 09:04:27 +1300, Sebastian Castro wrote:
We'd like to ask you to download the ISO file to be used to create the Live CD, generate the SHA256 checksum and post it back to the mailing list.
Wrapped to 70 cols and signed with my personal PGP key (0x7E05DC1E) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 f0c151a83a4cb3ac3d2616f754760e78ba475e5a124d67434bc5756e26193cd3 NZRS - -Custom-Live-CD-v1.6.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJOwcDbAAoJEM2pfUx+BdweOXQH/10gULoVTJ/MjpxUS/f16OmN pN4lmkDaEG6+3wcVvK3s0ZRiuZyOekJBH1OwJvjjyFp5b82M0tlEkw3g24h5CPl6 u3NywtAWeArWwZo6p0HpoSdrL+NGM6yOjCVC5tXC+gCQ5ZLjghArLLMJ0nhE14SY +pXJ0HZyC8AyJqVmn5uxHLXyudzX6yb5hlTRySFRx0uyFZ/TfPj49z53x1qjHPBI mDWrHiUxYO0cSbuh2MB4RK/bYNz7H+DKVaElZFs2GAy0a4Gf/stJLpHFPn4Cklqk a0z+tO3f9/QAhhEJArymcdhAjYUFgRGVwRtElIVlhb8V1zkm8gUXg+QwXNCmTIE= =WDKS -----END PGP SIGNATURE----- -- -Michael Fincham System Administrator, Unleash www.unleash.co.nz Phone: 0800 750 250 DDI: 03 978 1223 Mobile: 027 666 4482
participants (10)
-
Andy Linton -
David Robb -
Dean Pemberton -
Ewen McNeill -
Hamish MacEwan -
Jonathon Exley -
Mark Goldfinch -
Michael Fincham -
Pieter De Wit -
Sebastian Castro