Your message dated Sun, 24 Mar 2019 14:47:00 +0000
with message-id <[email protected]>
and subject line Re: Bug#925376: unblock: dns-root-data/2019031302
has caused the Debian Bug report #925376,
regarding unblock: dns-root-data/2019031302
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
925376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925376
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Control: block -1 by 925374
Control: affects -1 + src:dns-root-data
Please unblock package dns-root-data, package version 2019031302.
This closes serious bug #925374 ("dns-root-data: ships an obsolete root
zone signing key"), which notes that the older versions of dns-root-data
ship with a root key that is now expired. This is not the absolute
worst thing, because they *also* ship with the functional, current root
key. But it is not a good idea to leave this sort of thing lying
around, and we probably don't want to release it in buster.
the debdiff between 2018091102 and 2019031302 is attached. It's a bit
more complex than just dropping the keys from the distributed files,
because it includes a few extra verification steps during package build,
and accounts for the validity window described in iana's
root-anchors.xml.
The binary diff is actually much smaller :)
To properly avoid this sort of delay for future planned
rollovers/transition, i think we need marginally more sophisticated
binary packages, which i've started a discussion on in #925349. But
that work isn't relevant directly for the upcoming buster release.
Thanks for your work on debian buster, and sorry for the extra unblock
hassle here,
--dkg
unblock dns-root-data/2019031302
diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog
index 68800a6..8a4a8b3 100644
--- publicsuffix-2018091102/debian/changelog
+++ publicsuffix-2019031302/debian/changelog
@@ -1,3 +1,15 @@
+dns-root-data (2019031302) unstable; urgency=medium
+
+ * cryptographically verify root.hints
+ * get_orig_source: refresh root-anchors.{xml,p7s} as well
+ * update root data to 2019031302
+ * standards-version: bump to 4.3.0 (no changes needed)
+ * parse-root-anchors.sh: account for validity windows
+ * check: deliberately skip the TTL generated by ldns-key2ds
+ * dns-root-data is Multi-Arch: foreign
+
+ -- Daniel Kahn Gillmor <[email protected]> Sat, 23 Mar 2019 15:33:17 +0100
+
dns-root-data (2018091102) unstable; urgency=medium
* new upstream version of root.hints, 2018091102
diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control
index 940e507..7295849 100644
--- publicsuffix-2018091102/debian/control
+++ publicsuffix-2019031302/debian/control
@@ -8,11 +8,12 @@ Uploaders:
Robert Edmonds <[email protected]>,
Build-Depends:
debhelper (>= 11~),
+ gpgv,
ldnsutils,
openssl,
unbound-anchor,
xml2,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
Homepage: https://data.iana.org/root-anchors/
Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
@@ -20,6 +21,7 @@ Rules-Requires-Root: no
Package: dns-root-data
Architecture: all
+Multi-Arch: foreign
Depends:
${misc:Depends},
Description: DNS root data including root zone and DNSSEC key
diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules
index 3c46b59..5fe3d9a 100755
--- publicsuffix-2018091102/debian/rules
+++ publicsuffix-2019031302/debian/rules
@@ -14,11 +14,14 @@ override_dh_auto_build:
# Verify root-anchors.xml using OpenSSL
openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
+ # Verify root.hints
+ gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+
# Create key from validated root-anchors.xml
./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
# Create key from downloaded root.key
- /usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds
+ /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
# Compare the DS from root.key and from root-anchors.xml
diff -u root-anchors.ds root.ds
@@ -35,3 +38,7 @@ get_orig_source:
< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
rm $(CURDIR)/root-auto.key
wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root";
+ wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig";
+ # get root-anchors.xml and root-anchors.p7s as well
+ wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml'
+ wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s'
diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2018091102/parse-root-anchors.sh
+++ publicsuffix-2019031302/parse-root-anchors.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
export IFS="="
xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
"/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+ "/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";;
+ "/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";;
"/TrustAnchor/KeyDigest/Digest")
DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")"
if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then
echo "Missing some KeyDigest parameter"
exit 1
fi
- printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
- unset KTAG ALGO DTYPE DIGEST
+ if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then
+ printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2
+ elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then
+ printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2
+ else
+ printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
+ fi
+ unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
;;
esac
done
diff --git publicsuffix-2018091102/registry-admin.key publicsuffix-2019031302/registry-admin.key
new file mode 100644
index 0000000..9c0fb78
Binary files /dev/null and publicsuffix-2019031302/registry-admin.key differ
diff --git publicsuffix-2018091102/root-anchors.p7s publicsuffix-2019031302/root-anchors.p7s
index ee06fe5..ff40c7a 100644
Binary files publicsuffix-2018091102/root-anchors.p7s and publicsuffix-2019031302/root-anchors.p7s differ
diff --git publicsuffix-2018091102/root-anchors.xml publicsuffix-2019031302/root-anchors.xml
index bf84089..3536f08 100644
--- publicsuffix-2018091102/root-anchors.xml
+++ publicsuffix-2019031302/root-anchors.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml";>
<Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00">
<KeyTag>19036</KeyTag>
<Algorithm>8</Algorithm>
<DigestType>2</DigestType>
diff --git publicsuffix-2018091102/root.hints publicsuffix-2019031302/root.hints
index 3c7d257..cfb7094 100644
--- publicsuffix-2018091102/root.hints
+++ publicsuffix-2019031302/root.hints
@@ -9,8 +9,8 @@
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
-; last update: September 11, 2018
-; related version of root zone: 2018091102
+; last update: March 13, 2019
+; related version of root zone: 2019031302
;
; FORMERLY NS.INTERNIC.NET
;
diff --git publicsuffix-2018091102/root.hints.sig publicsuffix-2019031302/root.hints.sig
new file mode 100644
index 0000000..484ecc9
Binary files /dev/null and publicsuffix-2019031302/root.hints.sig differ
diff --git publicsuffix-2018091102/root.key publicsuffix-2019031302/root.key
index 956fbbd..e8941ce 100644
--- publicsuffix-2018091102/root.key
+++ publicsuffix-2019031302/root.key
@@ -1,2 +1 @@
-. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
-. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ]
+. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Daniel Kahn Gillmor:
> Package: release.debian.org
> Severity: normal
> User: [email protected]
> Usertags: unblock
> Control: block -1 by 925374
> Control: affects -1 + src:dns-root-data
>
> Please unblock package dns-root-data, package version 2019031302.
>
> [...]
>
> --dkg
>
> unblock dns-root-data/2019031302
>
Unblocked, thanks.
~Niels
--- End Message ---
