Hi,
It's not clear whether there will have been a stretch point release
before the KSK rollover in October, but there definitely won't have
been a jessie point release, and in any case we need to update unbound
in the next couple of days (to avoid new installs on stretch having
broken DNSSEC validation for the next month).
Assuming I've not missed any packages that have been updated, we need
four SUAs. I've included draft text for each below - review, comments
and suggestions welcome.
Package : dns-root-data
Version : 2017072601~deb9u1 [stretch]
2017072601~deb8u1 [jessie]
Importance : medium
The keys used to sign the root DNS zones for DNSSEC are in the process
of being updated. Currently two such keys are in use, but from October
11th only the newer key will be in use.
The dns-root-data package includes information about such keys,
allowing other packages to use them for validation. This update ensures
that the newer key is marked as valid, ensuring that records will still
be able to be validated using DNSSEC after the older key is no longer
being used.
If you use dns-root-data then we strongly recommend that you install
this update.
Package : bind9
Version : 1:9.10.3.dfsg.P4-12.3+deb9u3 [stretch]
1:9.9.5.dfsg-9+deb8u14 [jessie]
Importance : medium
The keys used to sign the root DNS zones for DNSSEC are in the process
of being updated. Currently two such keys are in use, but from October
11th only the newer key will be in use.
bind9 is a DNS resolver which can use DNSSEC in order to validation the
integrity of responses to DNS queries. This update adds support for the
newer key to bind9, ensuring that DNSSEC validation of the root zones
will continue to operate as expected after the key rollover.
If you use bind9 with DNSSEC validation, we strongly recommend that you
install this update.
Package : unbound
Version : 1.6.0-3+deb9u1 [stretch]
1.4.22-3+deb8u3 [jessie]
Importance : medium
The keys used to sign the root DNS zones for DNSSEC are in the process
of being updated. Currently two such keys are in use, but from October
11th only the newer key will be in use.
unbound is a DNS resolver which can use DNSSEC in order to validation
the integrity of responses to DNS queries. This update fixes an issue
which meant that new installs of unbound performed between September
11th and October 11th would not be able to validate the root zones.
The update also forces an upgrade of the dns-root-data package to that
included in SUA-XXXX-1, ensuring that DNSSEC validation of the root
zones will continue to operate as expected after the key rollover.
If you use unbound with DNSSEC validation, we strongly recommend that
you install this update.
Package : dnsviz
Version : 0.6.4-1+deb9u1
Importance : medium
The keys used to sign the root DNS zones for DNSSEC are in the process
of being updated. Currently two such keys are in use, but from October
11th only the newer key will be in use.
dnsviz is a set of tools for analysing DNS and DNSSEC behaviour. This
update adds support for the new root key, ensuring that DNSSEC
validation of the root zones will continue to operate as expected after
the key rollover.
The update also includes updates to the DNS root hints file and some
other bug fixes.
If you use the DNSSEC-related features of dnsviz, we strongly recommend
that you install this update.
Regards,
Adam
