** Description changed:

  [ Impact ]
  
   * ICANN has generated the next DNSSEC root trust anchor, KSK-2024.
  
   * ICANN's current plan is that it will be required around 2026-10-11
     to 2027-01-11, but the sooner it's updated, the more unmaintained
     installations will have it when the time comes.
   * 
https://lists.dns-oarc.net/pipermail/dns-operations/2024-November/022711.html
  
   * On one hand it is "only" annoyance as e.g. named uses them as
     hints and will on start check those hints and spam you
     warnings to the logs.
  
   * On the other hand this will break. Mid term the old addresses
     will stop to work (by 2026/2027) that is the strong
     deadline until this should be updated everywhere.
  
  [ Test Plan ]
  
   * In the past on updates the self check on hints of named
-    were quite useful here (see bug 2045297) but this time
+    were quite useful here when it was updating to the new
+    keys (see bug 2045297). But this time we are not so very
+    late (which is good) and thereby that simple test does not
+    work yet (not so good).
  
- TODO - check what the old test does not (expect nothing)
  TODO - we can likely only compare against the upstream checksums this time 
then?
+ TODO - maybe use the readout tool against the content from upstream and 
verify it's content matches
  
  [ Where problems could occur ]
  
   * This isn't code, purely a data file for services that need to know
     about dns root servers. Thereby there is no code in the package itself
     that would fail, but potential regressions would be in the dependencies.
     Those are (and we can more consciously look out for those):
  
  Reverse-Recommends
  ==================
  * dnsmasq-base [amd64 arm64 armhf ppc64el s390x]
  * dnsmasq-base-lua [amd64 arm64 armhf ppc64el s390x]
  * ldnsutils [amd64 arm64 armhf ppc64el s390x]
  * libbellesip2 [amd64 arm64 armhf ppc64el s390x]
  * unbound
  * unbound-host
  
  Reverse-Depends
  ===============
  * bind9
  * dnsviz
  * hash-slinger [amd64 arm64 armhf ppc64el s390x]
  * knot-resolver [amd64 arm64 armhf]
  * libgetdns10 [amd64 arm64 armhf ppc64el s390x]
  * libreswan [amd64 arm64 armhf ppc64el s390x]
  * opendkim [amd64 arm64 armhf ppc64el s390x]
  * pdns-recursor [amd64 arm64 ppc64el s390x]
  
   * At the same time I think we'd not need to do super advanced tests with
     custom setups of each of them. Those that are reverse dependencies and
     have tests (bind9, libreswan) will be ran by autopkgtest and given the
     change, that should IMHO be sufficient.
  
  [ Other Info ]
  
   * This is a native package and we are not doing anything special
     The same landed in Debian
     => https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076995
  
-  * Given that this is changing only data and that we likely need
-    to expect updating this more or less regularly I appreciate all
-    the packaging improvements Debian made like improving readme
-    and the generation of the key from the verified XML at build
-    time. Hence I'd (just like Debian did) go for a backport
-    of the most recent version, over just picking the key content.
-    That is easier to review, easier to maintain, and as long
-    as there are no build issues better to ensure all active
-    releases are on the same state.
+  * Given that this is changing only data and that we likely need
+    to expect updating this more or less regularly I appreciate all
+    the packaging improvements Debian made like improving readme
+    and the generation of the key from the verified XML at build
+    time. Hence I'd (just like Debian did) go for a backport
+    of the most recent version, over just picking the key content.
+    That is easier to review, easier to maintain, and as long
+    as there are no build issues better to ensure all active
+    releases are on the same state.
  
  --- original report ---
  
  ICANN has generated the next DNSSEC root trust anchor, KSK-2024.
  
  ICANN's current plan is that it will be required around 2026-10-11 -
  2027-01-11, but the sooner it's updated, the more unmaintained
  installations will have it when the time comes.
  
  <https://www.iana.org/dnssec/files>
  
  <https://lists.dns-oarc.net/pipermail/dns-
  operations/2024-November/022711.html>
  
  The corresponding Debian bug is <https://bugs.debian.org/cgi-
  bin/bugreport.cgi?bug=1076995>.
  
  (Some software can automatically update the trust anchor, as long as
  it's running and connected to the Internet often enough; some cannot.)

** Description changed:

  [ Impact ]
  
   * ICANN has generated the next DNSSEC root trust anchor, KSK-2024.
  
   * ICANN's current plan is that it will be required around 2026-10-11
     to 2027-01-11, but the sooner it's updated, the more unmaintained
     installations will have it when the time comes.
   * 
https://lists.dns-oarc.net/pipermail/dns-operations/2024-November/022711.html
  
   * On one hand it is "only" annoyance as e.g. named uses them as
     hints and will on start check those hints and spam you
     warnings to the logs.
  
   * On the other hand this will break. Mid term the old addresses
     will stop to work (by 2026/2027) that is the strong
     deadline until this should be updated everywhere.
  
  [ Test Plan ]
  
   * In the past on updates the self check on hints of named
     were quite useful here when it was updating to the new
-    keys (see bug 2045297). But this time we are not so very
-    late (which is good) and thereby that simple test does not
-    work yet (not so good).
+    keys (see bug 2045297). But this time we are not so very
+    late (which is good) and thereby that simple test does not
+    work yet (not so good).
  
  TODO - we can likely only compare against the upstream checksums this time 
then?
  TODO - maybe use the readout tool against the content from upstream and 
verify it's content matches
+ TODO - while the named check and fetch will not serve as a verification, it 
still is something we want to ensure is still working after the update
  
  [ Where problems could occur ]
  
   * This isn't code, purely a data file for services that need to know
     about dns root servers. Thereby there is no code in the package itself
     that would fail, but potential regressions would be in the dependencies.
     Those are (and we can more consciously look out for those):
  
  Reverse-Recommends
  ==================
  * dnsmasq-base [amd64 arm64 armhf ppc64el s390x]
  * dnsmasq-base-lua [amd64 arm64 armhf ppc64el s390x]
  * ldnsutils [amd64 arm64 armhf ppc64el s390x]
  * libbellesip2 [amd64 arm64 armhf ppc64el s390x]
  * unbound
  * unbound-host
  
  Reverse-Depends
  ===============
  * bind9
  * dnsviz
  * hash-slinger [amd64 arm64 armhf ppc64el s390x]
  * knot-resolver [amd64 arm64 armhf]
  * libgetdns10 [amd64 arm64 armhf ppc64el s390x]
  * libreswan [amd64 arm64 armhf ppc64el s390x]
  * opendkim [amd64 arm64 armhf ppc64el s390x]
  * pdns-recursor [amd64 arm64 ppc64el s390x]
  
   * At the same time I think we'd not need to do super advanced tests with
     custom setups of each of them. Those that are reverse dependencies and
     have tests (bind9, libreswan) will be ran by autopkgtest and given the
     change, that should IMHO be sufficient.
  
  [ Other Info ]
  
   * This is a native package and we are not doing anything special
     The same landed in Debian
     => https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076995
  
   * Given that this is changing only data and that we likely need
     to expect updating this more or less regularly I appreciate all
     the packaging improvements Debian made like improving readme
     and the generation of the key from the verified XML at build
     time. Hence I'd (just like Debian did) go for a backport
     of the most recent version, over just picking the key content.
     That is easier to review, easier to maintain, and as long
     as there are no build issues better to ensure all active
     releases are on the same state.
  
  --- original report ---
  
  ICANN has generated the next DNSSEC root trust anchor, KSK-2024.
  
  ICANN's current plan is that it will be required around 2026-10-11 -
  2027-01-11, but the sooner it's updated, the more unmaintained
  installations will have it when the time comes.
  
  <https://www.iana.org/dnssec/files>
  
  <https://lists.dns-oarc.net/pipermail/dns-
  operations/2024-November/022711.html>
  
  The corresponding Debian bug is <https://bugs.debian.org/cgi-
  bin/bugreport.cgi?bug=1076995>.
  
  (Some software can automatically update the trust anchor, as long as
  it's running and connected to the Internet often enough; some cannot.)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2086795

Title:
  New DNSSEC root trust anchor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/2086795/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to