Source: dnsruby Severity: important Tags: upstream patch Hi Ondřej,
The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October 2018 [1]. After this date, DNS resolvers will need to have the new key (KSK-2017) to perform DNSSEC validation. [1] https://www.icann.org/news/announcement-2018-08-22-en AFAICS, dnsruby has the KSK-2010 built-in [2], and enables dnssec by default. Users or software relying on dnsruby may encounter problems once the rollover occurs. [2] https://sources.debian.org/src/dnsruby/1.54-2/lib/Dnsruby/dnssec.rb/#L82 Unless #760469 got fixed (dnsruby: Please use root zone hints, key or anchor from dns-root-data package), dnsruby should also include the KSK-2017 key. Upstream has added it in the current master branch: https://github.com/alexdalitz/dnsruby/commit/55edc31a2150e4617edb6664d440e6141f535e6a Best regards, -- Santiago P.S. Since dnssec seems to be enabled by default, the bug severity could be maybe higher. But I let Ondřej decide :)
signature.asc
Description: PGP signature