Bug#907887: dnsmasq: Update root DNSSEC trust anchor in stretch and jessie
On Mon, 3 Sep 2018 17:18:41 +0200 "Santiago R.R." wrote: > Source: dnsmasq > Version: 2.72-3+deb8u2 > Severity: important > Tags: patch > > Hi Simon, > > The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October > 2018 [1]. After this date, DNS resolvers will need to have the new key > (KSK-2017) to perform DNSSEC validation. > > [1] https://www.icann.org/news/announcement-2018-08-22-en Hi Simon, Please find attached a NMU debdiff that would include the KSK in stretch. May I proceed and ask release team approval, or do you want to handle the change by yourself? Cheers, -- Santiago diff -u dnsmasq-2.76/debian/changelog dnsmasq-2.76/debian/changelog --- dnsmasq-2.76/debian/changelog +++ dnsmasq-2.76/debian/changelog @@ -1,3 +1,11 @@ +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium + + * Non-maintainer upload. + * trust-anchors.conf: include latest DNS trust anchor KSK-2017. +(Closes: #907887) + + -- Santiago Ruano Rincón Fri, 21 Sep 2018 17:06:18 +0200 + dnsmasq (2.76-5+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. only in patch2: unchanged: --- dnsmasq-2.76.orig/trust-anchors.conf +++ dnsmasq-2.76/trust-anchors.conf @@ -1,9 +1,10 @@ -# The root DNSSEC trust anchor, valid as at 30/01/2014 +# The root DNSSEC trust anchor, valid as at 10/02/2017 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D signature.asc Description: PGP signature
Bug#907887: dnsmasq: Update root DNSSEC trust anchor in stretch and jessie
On Mon, Sep 03, 2018 at 05:18:41PM +0200, Santiago R.R. wrote: > Source: dnsmasq > Version: 2.72-3+deb8u2 > Severity: important > Tags: patch > > Hi Simon, > > The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October > 2018 [1]. After this date, DNS resolvers will need to have the new key > (KSK-2017) to perform DNSSEC validation. > > [1] https://www.icann.org/news/announcement-2018-08-22-en > > AFAICS, dnsmasq in stretch and jessie [2] currently lacks the new key, > and unless the dns-root-data package is additionally installed, users > relying on dnsmasq for DNS resolution may encounter problems once the > rollover occurs. > > [2] https://sources.debian.org/src/dnsmasq/2.76-5+deb9u1/trust-anchors.conf/ > https://sources.debian.org/src/dnsmasq/2.72-3+deb8u2/trust-anchors.conf/ > > I think cherry-picking the commit [3] should prevent this in both > suites. > > [3] > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59 > > Would you agree on this change, and, would you like to prepare the > uploads by yourself? > > I am CCing the security team to have their opinion, whether this should > be handled via a security or a stable upload in stretch. Previous updates of DNS root keys have all been handled via stretch-updates, e.g. https://lists.debian.org/debian-stable-announce/2017/09/msg0.html Cheers, Moritz
Bug#907887: dnsmasq: Update root DNSSEC trust anchor in stretch and jessie
Source: dnsmasq Version: 2.72-3+deb8u2 Severity: important Tags: patch Hi Simon, The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October 2018 [1]. After this date, DNS resolvers will need to have the new key (KSK-2017) to perform DNSSEC validation. [1] https://www.icann.org/news/announcement-2018-08-22-en AFAICS, dnsmasq in stretch and jessie [2] currently lacks the new key, and unless the dns-root-data package is additionally installed, users relying on dnsmasq for DNS resolution may encounter problems once the rollover occurs. [2] https://sources.debian.org/src/dnsmasq/2.76-5+deb9u1/trust-anchors.conf/ https://sources.debian.org/src/dnsmasq/2.72-3+deb8u2/trust-anchors.conf/ I think cherry-picking the commit [3] should prevent this in both suites. [3] http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59 Would you agree on this change, and, would you like to prepare the uploads by yourself? I am CCing the security team to have their opinion, whether this should be handled via a security or a stable upload in stretch. Concerning jessie, following the LTS workflow is required: https://wiki.debian.org/LTS/Development If that LTS workflow is a burden for you, a member of the LTS team could take care of it. Best regards, -- Santiago P.S. The hypothetical upload could also fix CVE-2017-15107 [3] ? [3] https://security-tracker.debian.org/tracker/CVE-2017-15107 signature.asc Description: PGP signature
