Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1

2017-07-09 Thread Jonathan Wiltshire 
Control: tag -1 pending

On Wed, Jul 05, 2017 at 01:54:47PM +0200, Christian Hofstaedtler wrote:
> Hi,
> 
> * Cyril Brulebois  [170705 07:13]:
> > Control: tag -1 confirmed
> > 
> > Christian Hofstaedtler  (2017-07-04):
> > > pdns-recursor has an embedded copy of the DNS root (".") zone public
> > > signing key ("KSK"), for DNSSEC verification purposes. ICANN has
> > > created a new key and expects it to use starting from October 11,
> > > 2017, in place of the old key.
> > > 
> > > [..]
> > 
> > This looks good to me, feel free to upload.
> 
> Done, should be in proposed-updates by now.

Flagged for acceptance.

Thanks,

-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1

2017-07-05 Thread Christian Hofstaedtler 
Hi,

* Cyril Brulebois  [170705 07:13]:
> Control: tag -1 confirmed
> 
> Christian Hofstaedtler  (2017-07-04):
> > pdns-recursor has an embedded copy of the DNS root (".") zone public
> > signing key ("KSK"), for DNSSEC verification purposes. ICANN has
> > created a new key and expects it to use starting from October 11,
> > 2017, in place of the old key.
> > 
> > [..]
> 
> This looks good to me, feel free to upload.

Done, should be in proposed-updates by now.

> Are we getting an update for jessie as well? (If so, let's track this in
> a separate bug report please.)

The version in jessie does not have DNSSEC capabilities.
The version in jessie-backports does, and I'll update it once the
stretch update is all through.

> Thanks.

Thanks,
Chris

Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1

2017-07-04 Thread Cyril Brulebois 
Control: tag -1 confirmed

Christian Hofstaedtler  (2017-07-04):
> pdns-recursor has an embedded copy of the DNS root (".") zone public
> signing key ("KSK"), for DNSSEC verification purposes. ICANN has
> created a new key and expects it to use starting from October 11,
> 2017, in place of the old key.
> 
> This update adds the new key to the trusted set. If users do not get
> this update, DNSSEC validation will fail for them starting on Oct.
> 11, until they manually update the configuration.
> 
> The same fix is already in unstable (as 4.0.4-2).

Hi Christian,

This looks good to me, feel free to upload.

Are we getting an update for jessie as well? (If so, let's track this in
a separate bug report please.)

Thanks.


KiBi.


signature.asc
Description: Digital signature

Bug#867159: stretch-pu: package pdns-recursor/4.0.4-1

2017-07-04 Thread Christian Hofstaedtler 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

pdns-recursor has an embedded copy of the DNS root (".") zone public
signing key ("KSK"), for DNSSEC verification purposes. ICANN has
created a new key and expects it to use starting from October 11,
2017, in place of the old key.

This update adds the new key to the trusted set. If users do not get
this update, DNSSEC validation will fail for them starting on Oct.
11, until they manually update the configuration.

The same fix is already in unstable (as 4.0.4-2).

Thanks,
Chris


diff -Nru pdns-recursor-4.0.4/debian/changelog 
pdns-recursor-4.0.4/debian/changelog
--- pdns-recursor-4.0.4/debian/changelog2017-01-14 03:03:18.0 
+
+++ pdns-recursor-4.0.4/debian/changelog2017-06-27 12:31:08.0 
+
@@ -1,3 +1,10 @@
+pdns-recursor (4.0.4-1+deb9u1) stretch; urgency=medium
+
+  * Add new root trust anchor KSK-2017 to embedded root trust list.
+(Closes: #866112)
+
+ -- Christian Hofstaedtler   Tue, 27 Jun 2017 12:31:08 +
+
 pdns-recursor (4.0.4-1) unstable; urgency=medium
 
   * New upstream version, fixing security issues CVE-2016-7068 and
diff -Nru pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 
pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch
--- pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 
1970-01-01 00:00:00.0 +
+++ pdns-recursor-4.0.4/debian/patches/0001-Add-the-2017-root-key.patch 
2017-06-27 12:31:08.0 +
@@ -0,0 +1,20 @@
+From d5037c4d34ffbc89ca5d4f79554dd87aa49fdbc8 Mon Sep 17 00:00:00 2001
+From: Pieter Lexis 
+Date: Fri, 3 Feb 2017 09:03:35 +0100
+Subject: [PATCH] Add the 2017 root key
+
+---
+ pdns/root-dnssec.hh | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pdns/root-dnssec.hh b/pdns/root-dnssec.hh
+index 0d4b3b4ea1..1f5bb37fe7 100644
+--- a/root-dnssec.hh
 b/root-dnssec.hh
+@@ -22,4 +22,5 @@
+ 
+ #pragma once
+ 
+-static const char*rootDSs[]={"19036 8 2 
49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5"};
++static const char*rootDSs[]={"19036 8 2 
49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5",
++ "20326 8 2 
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d"};
diff -Nru pdns-recursor-4.0.4/debian/patches/series 
pdns-recursor-4.0.4/debian/patches/series
--- pdns-recursor-4.0.4/debian/patches/series   1970-01-01 00:00:00.0 
+
+++ pdns-recursor-4.0.4/debian/patches/series   2017-06-27 12:31:08.0 
+
@@ -0,0 +1 @@
+0001-Add-the-2017-root-key.patch