Package: unbound Version: 1.6.0-2 Severity: serious Justification: package maintainer's opinion
Hi, I'd like to update the DNSSEC root trust anchor embedded in the unbound-anchor utility. This is used to bootstrap DNSSEC trust for the unbound DNS server. The current trust anchor is for the 2010 DNSSEC KSK, which is scheduled to be replaced this year and retired in 2018 (https://www.icann.org/resources/pages/ksk-rollover). Upstream svn commit r4000 (post-1.6.0), attached for review, updates unbound-anchor to include the additional trust anchor. An unbound server that was offline during the KSK rollover can still obtain the 2017 KSK securely by using unbound-anchor's out-of-band fallback mechanism based on HTTP and S/MIME, but by including the trust anchor for the 2017 key in the unbound package that ships with stretch we can avoid having this rarely used code path exercised. -- Robert Edmonds edmo...@debian.org
From eae8248dd18575b06eb4f899bf9485734a1b8cec Mon Sep 17 00:00:00 2001 From: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9> Date: Tue, 7 Feb 2017 15:22:31 +0000 Subject: [PATCH] - Include root trust anchor id 20326 in unbound-anchor. git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@4000 be551aaa-1e26-0410-a405-d3ace91eadb9 --- doc/Changelog | 3 +++ smallapp/unbound-anchor.c | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 6564b8e1..9831607e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +7 February 2017: Wouter + - Include root trust anchor id 20326 in unbound-anchor. + 6 February 2017: Wouter - Fix compile on solaris of the fix to use $host detect. diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index 68ff3ccc..2828088d 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -241,7 +241,10 @@ static const char* get_builtin_ds(void) { return -". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n"; +/* anchor 19036 is from 2010 */ +/* anchor 20326 is from 2017 */ +". IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5\n" +". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"; } /** print hex data */ -- 2.11.0
signature.asc
Description: PGP signature
