Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Control: block -1 by 925374 Control: affects -1 + src:dns-root-data
Please unblock package dns-root-data, package version 2019031302. This closes serious bug #925374 ("dns-root-data: ships an obsolete root zone signing key"), which notes that the older versions of dns-root-data ship with a root key that is now expired. This is not the absolute worst thing, because they *also* ship with the functional, current root key. But it is not a good idea to leave this sort of thing lying around, and we probably don't want to release it in buster. the debdiff between 2018091102 and 2019031302 is attached. It's a bit more complex than just dropping the keys from the distributed files, because it includes a few extra verification steps during package build, and accounts for the validity window described in iana's root-anchors.xml. The binary diff is actually much smaller :) To properly avoid this sort of delay for future planned rollovers/transition, i think we need marginally more sophisticated binary packages, which i've started a discussion on in #925349. But that work isn't relevant directly for the upcoming buster release. Thanks for your work on debian buster, and sorry for the extra unblock hassle here, --dkg unblock dns-root-data/2019031302
diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog index 68800a6..8a4a8b3 100644 --- publicsuffix-2018091102/debian/changelog +++ publicsuffix-2019031302/debian/changelog @@ -1,3 +1,15 @@ +dns-root-data (2019031302) unstable; urgency=medium + + * cryptographically verify root.hints + * get_orig_source: refresh root-anchors.{xml,p7s} as well + * update root data to 2019031302 + * standards-version: bump to 4.3.0 (no changes needed) + * parse-root-anchors.sh: account for validity windows + * check: deliberately skip the TTL generated by ldns-key2ds + * dns-root-data is Multi-Arch: foreign + + -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Sat, 23 Mar 2019 15:33:17 +0100 + dns-root-data (2018091102) unstable; urgency=medium * new upstream version of root.hints, 2018091102 diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control index 940e507..7295849 100644 --- publicsuffix-2018091102/debian/control +++ publicsuffix-2019031302/debian/control @@ -8,11 +8,12 @@ Uploaders: Robert Edmonds <edmo...@debian.org>, Build-Depends: debhelper (>= 11~), + gpgv, ldnsutils, openssl, unbound-anchor, xml2, -Standards-Version: 4.2.1 +Standards-Version: 4.3.0 Homepage: https://data.iana.org/root-anchors/ Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data @@ -20,6 +21,7 @@ Rules-Requires-Root: no Package: dns-root-data Architecture: all +Multi-Arch: foreign Depends: ${misc:Depends}, Description: DNS root data including root zone and DNSSEC key diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules index 3c46b59..5fe3d9a 100755 --- publicsuffix-2018091102/debian/rules +++ publicsuffix-2019031302/debian/rules @@ -14,11 +14,14 @@ override_dh_auto_build: # Verify root-anchors.xml using OpenSSL openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml + # Verify root.hints + gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints + # Create key from validated root-anchors.xml ./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds # Create key from downloaded root.key - /usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds + /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds # Compare the DS from root.key and from root-anchors.xml diff -u root-anchors.ds root.ds @@ -35,3 +38,7 @@ get_orig_source: < $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key rm $(CURDIR)/root-auto.key wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root" + wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig" + # get root-anchors.xml and root-anchors.p7s as well + wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml' + wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s' diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh index 4281534..eb1696b 100755 --- publicsuffix-2018091102/parse-root-anchors.sh +++ publicsuffix-2019031302/parse-root-anchors.sh @@ -1,6 +1,6 @@ #!/bin/sh -unset ZONE KTAG ALGO DTYPE DIGEST +unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS export IFS="=" xml2 | while read -r KEY VAL; do @@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do "/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";; "/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";; "/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";; + "/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";; + "/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";; "/TrustAnchor/KeyDigest/Digest") DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")" if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then echo "Missing some KeyDigest parameter" exit 1 fi - printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST" - unset KTAG ALGO DTYPE DIGEST + if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then + printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2 + elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then + printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2 + else + printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST" + fi + unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS ;; esac done diff --git publicsuffix-2018091102/registry-admin.key publicsuffix-2019031302/registry-admin.key new file mode 100644 index 0000000..9c0fb78 Binary files /dev/null and publicsuffix-2019031302/registry-admin.key differ diff --git publicsuffix-2018091102/root-anchors.p7s publicsuffix-2019031302/root-anchors.p7s index ee06fe5..ff40c7a 100644 Binary files publicsuffix-2018091102/root-anchors.p7s and publicsuffix-2019031302/root-anchors.p7s differ diff --git publicsuffix-2018091102/root-anchors.xml publicsuffix-2019031302/root-anchors.xml index bf84089..3536f08 100644 --- publicsuffix-2018091102/root-anchors.xml +++ publicsuffix-2019031302/root-anchors.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> -<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml"> +<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml"> <Zone>.</Zone> -<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00"> +<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00"> <KeyTag>19036</KeyTag> <Algorithm>8</Algorithm> <DigestType>2</DigestType> diff --git publicsuffix-2018091102/root.hints publicsuffix-2019031302/root.hints index 3c7d257..cfb7094 100644 --- publicsuffix-2018091102/root.hints +++ publicsuffix-2019031302/root.hints @@ -9,8 +9,8 @@ ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; -; last update: September 11, 2018 -; related version of root zone: 2018091102 +; last update: March 13, 2019 +; related version of root zone: 2019031302 ; ; FORMERLY NS.INTERNIC.NET ; diff --git publicsuffix-2018091102/root.hints.sig publicsuffix-2019031302/root.hints.sig new file mode 100644 index 0000000..484ecc9 Binary files /dev/null and publicsuffix-2019031302/root.hints.sig differ diff --git publicsuffix-2018091102/root.key publicsuffix-2019031302/root.key index 956fbbd..e8941ce 100644 --- publicsuffix-2018091102/root.key +++ publicsuffix-2019031302/root.key @@ -1,2 +1 @@ -. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] -. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] +. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
signature.asc
Description: PGP signature