Your message dated Mon, 20 Feb 2017 01:51:52 +0000
with message-id <[email protected]>
and subject line Bug#855484: fixed in unbound 1.6.0-3
has caused the Debian Bug report #855484,
regarding unbound: Missing trust anchor for root KSK-2017 key
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
855484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=855484
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: unbound
Version: 1.6.0-2
Severity: serious
Justification: package maintainer's opinion
Hi,
I'd like to update the DNSSEC root trust anchor embedded in the
unbound-anchor utility. This is used to bootstrap DNSSEC trust for the
unbound DNS server. The current trust anchor is for the 2010 DNSSEC KSK,
which is scheduled to be replaced this year and retired in 2018
(https://www.icann.org/resources/pages/ksk-rollover).
Upstream svn commit r4000 (post-1.6.0), attached for review, updates
unbound-anchor to include the additional trust anchor.
An unbound server that was offline during the KSK rollover can still
obtain the 2017 KSK securely by using unbound-anchor's out-of-band
fallback mechanism based on HTTP and S/MIME, but by including the trust
anchor for the 2017 key in the unbound package that ships with stretch
we can avoid having this rarely used code path exercised.
--
Robert Edmonds
[email protected]
From eae8248dd18575b06eb4f899bf9485734a1b8cec Mon Sep 17 00:00:00 2001
From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Tue, 7 Feb 2017 15:22:31 +0000
Subject: [PATCH] - Include root trust anchor id 20326 in unbound-anchor.
git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@4000 be551aaa-1e26-0410-a405-d3ace91eadb9
---
doc/Changelog | 3 +++
smallapp/unbound-anchor.c | 5 ++++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/doc/Changelog b/doc/Changelog
index 6564b8e1..9831607e 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+7 February 2017: Wouter
+ - Include root trust anchor id 20326 in unbound-anchor.
+
6 February 2017: Wouter
- Fix compile on solaris of the fix to use $host detect.
diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
index 68ff3ccc..2828088d 100644
--- a/smallapp/unbound-anchor.c
+++ b/smallapp/unbound-anchor.c
@@ -241,7 +241,10 @@ static const char*
get_builtin_ds(void)
{
return
-". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n";
+/* anchor 19036 is from 2010 */
+/* anchor 20326 is from 2017 */
+". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"
+". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
}
/** print hex data */
--
2.11.0
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: unbound
Source-Version: 1.6.0-3
We believe that the bug you reported is fixed in the latest version of
unbound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Robert Edmonds <[email protected]> (supplier of updated unbound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 19 Feb 2017 20:04:34 -0500
Source: unbound
Binary: libunbound-dev libunbound2 python-unbound python3-unbound unbound
unbound-anchor unbound-host
Architecture: source
Version: 1.6.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Packaging <[email protected]>
Changed-By: Robert Edmonds <[email protected]>
Description:
libunbound-dev - static library, header files, and docs for libunbound
libunbound2 - library implementing DNS resolution and validation
python-unbound - library implementing DNS resolution and validation (Python
bindin
python3-unbound - library implementing DNS resolution and validation (Python3
bindi
unbound - validating, recursive, caching DNS resolver
unbound-anchor - utility to securely fetch the root DNS trust anchor
unbound-host - reimplementation of the 'host' command
Closes: 855484
Changes:
unbound (1.6.0-3) unstable; urgency=medium
.
* Cherry-pick upstream commit svn r4000, "Include root trust anchor id
20326 in unbound-anchor". (Closes: #855484)
Checksums-Sha1:
ec31f615d262473851269324bccbe7c94185d8b6 3021 unbound_1.6.0-3.dsc
3ab2af14992bb9622e598d7919bd139bae95a026 16508 unbound_1.6.0-3.debian.tar.xz
17fc4c6fbf1b6ae338418b2d3b28586c50c1ac48 6984 unbound_1.6.0-3_source.buildinfo
Checksums-Sha256:
38522051a40640599a566a7394a9d596ef94c4024b9d34cb1ba8a65660489de7 3021
unbound_1.6.0-3.dsc
8be59cee5ddad11c7ed456a5e8118514c310835939a344d3feedd2db9212a4fd 16508
unbound_1.6.0-3.debian.tar.xz
61a1826d10c2b5010f09a4f93d7df81881cbfbf3d06d5cbbf25cca36371162b1 6984
unbound_1.6.0-3_source.buildinfo
Files:
69ab9ea614b46bb01db237d22c82ce4d 3021 net optional unbound_1.6.0-3.dsc
95baf128f9f6a4644c79f1c24723f77c 16508 net optional
unbound_1.6.0-3.debian.tar.xz
6332a6555b32c37376f3942a83165d34 6984 net optional
unbound_1.6.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE3z2W7rOCeCDzAmZcAYF6sKr2za4FAliqRvwACgkQAYF6sKr2
za7Xmw/+LoARdM3UDFyJqsvQAucpeobDI+ZEcBqSMNS5f28ZVFXGhgmu5emgQO/e
gczI1bxyp5rNamjID482Zg0CRQ4T1iuLh0LjaWpR+pEEepsd5lbKmVxWcUaeM1IP
xtH2udUThrIO9R0OEwVxC/Y5iGGcLWw4hAzXchdSSEgB6Z+VVSPd/nRP6/Y4ctBt
hqh2ygcR6Bl11xfpdrTwCq/r1dT5wJYLE8dtzY+qDrhVvRQ6QyRF9UFUwjfJ96VN
VzDsq7GwkfdZeaWwuWnWBnlH0rYEKFV71MjzuNUdUgWFVr1vM3TTXDWkOfNhmuMu
/neDAPFJX956N3FAEefpl6qrHWMOGjbv1BRPifvHiafEJgAU7L5JU5mdTac3XETN
2remCQqnyR6L2QmcUOAFQKOaY/g7BHw6bK/wr+UKDRvl/DTqk+SaunnZrblvrgu8
FV04lgSuQgLzeBpcDS8Dil5vkQJLjXfx2/KicGstNdfz7FJQ7Nixhj+XRkft6Ygh
8uFDZg5OQ0NtBSbA9c5l9Kgl6uSBwQpJmOvDMytpYJcoCNzVarpA23KlhvhXamOL
MgnwJN+j6g8wKuWvYYu8T7RgmUdBzjaxQ9oFskny7JDZblcVVadh3vS1Jm78iuOD
xYUvO2h4Xx8t13BjCfDvEELJRAFum7e3M3mlkT3dZimTIjZfXM0=
=fzkp
-----END PGP SIGNATURE-----
--- End Message ---
