Hi, It's not clear whether there will have been a stretch point release before the KSK rollover in October, but there definitely won't have been a jessie point release, and in any case we need to update unbound in the next couple of days (to avoid new installs on stretch having broken DNSSEC validation for the next month).
Assuming I've not missed any packages that have been updated, we need four SUAs. I've included draft text for each below - review, comments and suggestions welcome. Package : dns-root-data Version : 2017072601~deb9u1 [stretch] 2017072601~deb8u1 [jessie] Importance : medium The keys used to sign the root DNS zones for DNSSEC are in the process of being updated. Currently two such keys are in use, but from October 11th only the newer key will be in use. The dns-root-data package includes information about such keys, allowing other packages to use them for validation. This update ensures that the newer key is marked as valid, ensuring that records will still be able to be validated using DNSSEC after the older key is no longer being used. If you use dns-root-data then we strongly recommend that you install this update. Package : bind9 Version : 1:9.10.3.dfsg.P4-12.3+deb9u3 [stretch] 1:9.9.5.dfsg-9+deb8u14 [jessie] Importance : medium The keys used to sign the root DNS zones for DNSSEC are in the process of being updated. Currently two such keys are in use, but from October 11th only the newer key will be in use. bind9 is a DNS resolver which can use DNSSEC in order to validation the integrity of responses to DNS queries. This update adds support for the newer key to bind9, ensuring that DNSSEC validation of the root zones will continue to operate as expected after the key rollover. If you use bind9 with DNSSEC validation, we strongly recommend that you install this update. Package : unbound Version : 1.6.0-3+deb9u1 [stretch] 1.4.22-3+deb8u3 [jessie] Importance : medium The keys used to sign the root DNS zones for DNSSEC are in the process of being updated. Currently two such keys are in use, but from October 11th only the newer key will be in use. unbound is a DNS resolver which can use DNSSEC in order to validation the integrity of responses to DNS queries. This update fixes an issue which meant that new installs of unbound performed between September 11th and October 11th would not be able to validate the root zones. The update also forces an upgrade of the dns-root-data package to that included in SUA-XXXX-1, ensuring that DNSSEC validation of the root zones will continue to operate as expected after the key rollover. If you use unbound with DNSSEC validation, we strongly recommend that you install this update. Package : dnsviz Version : 0.6.4-1+deb9u1 Importance : medium The keys used to sign the root DNS zones for DNSSEC are in the process of being updated. Currently two such keys are in use, but from October 11th only the newer key will be in use. dnsviz is a set of tools for analysing DNS and DNSSEC behaviour. This update adds support for the new root key, ensuring that DNSSEC validation of the root zones will continue to operate as expected after the key rollover. The update also includes updates to the DNS root hints file and some other bug fixes. If you use the DNSSEC-related features of dnsviz, we strongly recommend that you install this update. Regards, Adam