Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Control: block -1 by 925374 Control: affects -1 + src:dns-root-data
Please unblock package dns-root-data, package version 2019031302.
This closes serious bug #925374 ("dns-root-data: ships an obsolete root
zone signing key"), which notes that the older versions of dns-root-data
ship with a root key that is now expired. This is not the absolute
worst thing, because they *also* ship with the functional, current root
key. But it is not a good idea to leave this sort of thing lying
around, and we probably don't want to release it in buster.
the debdiff between 2018091102 and 2019031302 is attached. It's a bit
more complex than just dropping the keys from the distributed files,
because it includes a few extra verification steps during package build,
and accounts for the validity window described in iana's
root-anchors.xml.
The binary diff is actually much smaller :)
To properly avoid this sort of delay for future planned
rollovers/transition, i think we need marginally more sophisticated
binary packages, which i've started a discussion on in #925349. But
that work isn't relevant directly for the upcoming buster release.
Thanks for your work on debian buster, and sorry for the extra unblock
hassle here,
--dkg
unblock dns-root-data/2019031302
diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog
index 68800a6..8a4a8b3 100644
--- publicsuffix-2018091102/debian/changelog
+++ publicsuffix-2019031302/debian/changelog
@@ -1,3 +1,15 @@
+dns-root-data (2019031302) unstable; urgency=medium
+
+ * cryptographically verify root.hints
+ * get_orig_source: refresh root-anchors.{xml,p7s} as well
+ * update root data to 2019031302
+ * standards-version: bump to 4.3.0 (no changes needed)
+ * parse-root-anchors.sh: account for validity windows
+ * check: deliberately skip the TTL generated by ldns-key2ds
+ * dns-root-data is Multi-Arch: foreign
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Sat, 23 Mar 2019 15:33:17 +0100
+
dns-root-data (2018091102) unstable; urgency=medium
* new upstream version of root.hints, 2018091102
diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control
index 940e507..7295849 100644
--- publicsuffix-2018091102/debian/control
+++ publicsuffix-2019031302/debian/control
@@ -8,11 +8,12 @@ Uploaders:
Robert Edmonds <edmo...@debian.org>,
Build-Depends:
debhelper (>= 11~),
+ gpgv,
ldnsutils,
openssl,
unbound-anchor,
xml2,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
Homepage: https://data.iana.org/root-anchors/
Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
@@ -20,6 +21,7 @@ Rules-Requires-Root: no
Package: dns-root-data
Architecture: all
+Multi-Arch: foreign
Depends:
${misc:Depends},
Description: DNS root data including root zone and DNSSEC key
diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules
index 3c46b59..5fe3d9a 100755
--- publicsuffix-2018091102/debian/rules
+++ publicsuffix-2019031302/debian/rules
@@ -14,11 +14,14 @@ override_dh_auto_build:
# Verify root-anchors.xml using OpenSSL
openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
+ # Verify root.hints
+ gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+
# Create key from validated root-anchors.xml
./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
# Create key from downloaded root.key
- /usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds
+ /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
# Compare the DS from root.key and from root-anchors.xml
diff -u root-anchors.ds root.ds
@@ -35,3 +38,7 @@ get_orig_source:
< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
rm $(CURDIR)/root-auto.key
wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root";
+ wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig";
+ # get root-anchors.xml and root-anchors.p7s as well
+ wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml'
+ wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s'
diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2018091102/parse-root-anchors.sh
+++ publicsuffix-2019031302/parse-root-anchors.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
export IFS="="
xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
"/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+ "/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";;
+ "/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";;
"/TrustAnchor/KeyDigest/Digest")
DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")"
if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then
echo "Missing some KeyDigest parameter"
exit 1
fi
- printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
- unset KTAG ALGO DTYPE DIGEST
+ if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then
+ printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2
+ elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then
+ printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2
+ else
+ printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
+ fi
+ unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
;;
esac
done
diff --git publicsuffix-2018091102/registry-admin.key publicsuffix-2019031302/registry-admin.key
new file mode 100644
index 0000000..9c0fb78
Binary files /dev/null and publicsuffix-2019031302/registry-admin.key differ
diff --git publicsuffix-2018091102/root-anchors.p7s publicsuffix-2019031302/root-anchors.p7s
index ee06fe5..ff40c7a 100644
Binary files publicsuffix-2018091102/root-anchors.p7s and publicsuffix-2019031302/root-anchors.p7s differ
diff --git publicsuffix-2018091102/root-anchors.xml publicsuffix-2019031302/root-anchors.xml
index bf84089..3536f08 100644
--- publicsuffix-2018091102/root-anchors.xml
+++ publicsuffix-2019031302/root-anchors.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml";>
<Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00">
<KeyTag>19036</KeyTag>
<Algorithm>8</Algorithm>
<DigestType>2</DigestType>
diff --git publicsuffix-2018091102/root.hints publicsuffix-2019031302/root.hints
index 3c7d257..cfb7094 100644
--- publicsuffix-2018091102/root.hints
+++ publicsuffix-2019031302/root.hints
@@ -9,8 +9,8 @@
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
-; last update: September 11, 2018
-; related version of root zone: 2018091102
+; last update: March 13, 2019
+; related version of root zone: 2019031302
;
; FORMERLY NS.INTERNIC.NET
;
diff --git publicsuffix-2018091102/root.hints.sig publicsuffix-2019031302/root.hints.sig
new file mode 100644
index 0000000..484ecc9
Binary files /dev/null and publicsuffix-2019031302/root.hints.sig differ
diff --git publicsuffix-2018091102/root.key publicsuffix-2019031302/root.key
index 956fbbd..e8941ce 100644
--- publicsuffix-2018091102/root.key
+++ publicsuffix-2019031302/root.key
@@ -1,2 +1 @@
-. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
-. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ]
+. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
signature.asc
Description: PGP signature
