Package: release.debian.org Severity: important Tags: stretch User: release.debian.org@packages.debian.org Usertags: pu Dear stable release managers, I'd like to propose the attached dnsmasq NMU to update the DNSSEC trust anchor shipped with the package, to the forthcoming KSK-2017, whose rollover will be happen next Thursday (2018-10-11). Please see #907887: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907887 While I have no feedback from Simon (in CC, and I hope he's doing well), I think this upload is important to prevent issues in non-default scenarios, where dnsmasq is running with DNSSEC enabled and relying on the trust anchors file included in dnsmasq-base. May I go ahead? Cheers, -- Santiago
diff -u dnsmasq-2.76/debian/changelog dnsmasq-2.76/debian/changelog --- dnsmasq-2.76/debian/changelog +++ dnsmasq-2.76/debian/changelog @@ -1,3 +1,11 @@ +dnsmasq (2.76-5+deb9u1.1) stretch; urgency=medium + + * Non-maintainer upload. + * trust-anchors.conf: include latest DNS trust anchor KSK-2017. + (Closes: #907887) + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Fri, 21 Sep 2018 17:06:18 +0200 + dnsmasq (2.76-5+deb9u1) stretch-security; urgency=high * Non-maintainer upload by the Security Team. only in patch2: unchanged: --- dnsmasq-2.76.orig/trust-anchors.conf +++ dnsmasq-2.76/trust-anchors.conf @@ -1,9 +1,10 @@ -# The root DNSSEC trust anchor, valid as at 30/01/2014 +# The root DNSSEC trust anchor, valid as at 10/02/2017 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
Attachment:
signature.asc
Description: PGP signature