Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1
Control: tag -1 pending On Wed, Jul 05, 2017 at 01:54:47PM +0200, Christian Hofstaedtler wrote: > Hi, > > * Cyril Brulebois[170705 07:13]: > > Control: tag -1 confirmed > > > > Christian Hofstaedtler (2017-07-04): > > > pdns-recursor has an embedded copy of the DNS root (".") zone public > > > signing key ("KSK"), for DNSSEC verification purposes. ICANN has > > > created a new key and expects it to use starting from October 11, > > > 2017, in place of the old key. > > > > > > [..] > > > > This looks good to me, feel free to upload. > > Done, should be in proposed-updates by now. Flagged for acceptance. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1
Hi, * Cyril Brulebois[170705 07:13]: > Control: tag -1 confirmed > > Christian Hofstaedtler (2017-07-04): > > pdns-recursor has an embedded copy of the DNS root (".") zone public > > signing key ("KSK"), for DNSSEC verification purposes. ICANN has > > created a new key and expects it to use starting from October 11, > > 2017, in place of the old key. > > > > [..] > > This looks good to me, feel free to upload. Done, should be in proposed-updates by now. > Are we getting an update for jessie as well? (If so, let's track this in > a separate bug report please.) The version in jessie does not have DNSSEC capabilities. The version in jessie-backports does, and I'll update it once the stretch update is all through. > Thanks. Thanks, Chris
Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1
Control: tag -1 confirmed Christian Hofstaedtler(2017-07-04): > pdns-recursor has an embedded copy of the DNS root (".") zone public > signing key ("KSK"), for DNSSEC verification purposes. ICANN has > created a new key and expects it to use starting from October 11, > 2017, in place of the old key. > > This update adds the new key to the trusted set. If users do not get > this update, DNSSEC validation will fail for them starting on Oct. > 11, until they manually update the configuration. > > The same fix is already in unstable (as 4.0.4-2). Hi Christian, This looks good to me, feel free to upload. Are we getting an update for jessie as well? (If so, let's track this in a separate bug report please.) Thanks. KiBi. signature.asc Description: Digital signature
Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu pdns-recursor has an embedded copy of the DNS root (".") zone public signing key ("KSK"), for DNSSEC verification purposes. ICANN has created a new key and expects it to use starting from October 11, 2017, in place of the old key. This update adds the new key to the trusted set. If users do not get this update, DNSSEC validation will fail for them starting on Oct. 11, until they manually update the configuration. The same fix is already in unstable (as 4.0.4-2). Thanks, Chris diff -Nru pdns-recursor-4.0.4/debian/changelog pdns-recursor-4.0.4/debian/changelog --- pdns-recursor-4.0.4/debian/changelog2017-01-14 03:03:18.0 + +++ pdns-recursor-4.0.4/debian/changelog2017-06-27 12:31:08.0 + @@ -1,3 +1,10 @@ +pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium + + * Add new root trust anchor KSK-2017 to embedded root trust list. +(Closes: #866112) + + -- Christian HofstaedtlerTue, 27 Jun 2017 12:31:08 + + pdns-recursor (4.0.4-1) unstable; urgency=medium * New upstream version, fixing security issues CVE-2016-7068 and diff -Nru pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch --- pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 1970-01-01 00:00:00.0 + +++ pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 2017-06-27 12:31:08.0 + @@ -0,0 +1,20 @@ +From d5037c4d34ffbc89ca5d4f79554dd87aa49fdbc8 Mon Sep 17 00:00:00 2001 +From: Pieter Lexis +Date: Fri, 3 Feb 2017 09:03:35 +0100 +Subject: [PATCH] Add the 2017 root key + +--- + pdns/root-dnssec.hh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/pdns/root-dnssec.hh b/pdns/root-dnssec.hh +index 0d4b3b4ea1..1f5bb37fe7 100644 +--- a/root-dnssec.hh b/root-dnssec.hh +@@ -22,4 +22,5 @@ + + #pragma once + +-static const char*rootDSs[]={"19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5"}; ++static const char*rootDSs[]={"19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5", ++ "20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d"}; diff -Nru pdns-recursor-4.0.4/debian/patches/series pdns-recursor-4.0.4/debian/patches/series --- pdns-recursor-4.0.4/debian/patches/series 1970-01-01 00:00:00.0 + +++ pdns-recursor-4.0.4/debian/patches/series 2017-06-27 12:31:08.0 + @@ -0,0 +1 @@ +0001-Add-the-2017-root-key.patch