#!/bin/bash
#. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5
#                  49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5
rootsig_url="https://data.iana.org/root-anchors/root-anchors.xml"

set -o errexit
tmp="/tmp/$(basename $0).$$"

err() { echo "$@" >/dev/stderr; }
dnssig() {
	echo "managed-keys {"
	sed -e 's/^.*DNSKEY[ 	]*257[ 	]*3[ 	]*8[ 	]*/. initial-key 257 3 8 "/' -e 's/[ 	]*$/";/' $1
	echo "};"
}

dig . dnskey | awk '/DNSKEY\t257/{ print $0 }' > $tmp

rootsig_maybe=$( dnssec-dsfromkey -2 -f  $tmp . | awk '{ print $7 $8 }' )
if [[ "" == "$rootsig_maybe" ]]; then
	echo "No rootsig? Exiting..."
	exit 1
fi
err "maybe   ${rootsig_maybe}"

rootsig=$( curl -s $rootsig_url | grep '<Digest>' | sed -e 's#</*Digest>##g' )
err "must be ${rootsig}"

if [[ $rootsig == $rootsig_maybe ]]; then
	err OK
	dnssig $tmp
	rm $tmp
	exit 0
fi

echo FAIL
exit 1