[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925351: stretch-pu: package dns-root-data/2019031302~deb9u1

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Control: affects -1 src:dns-root-data

Please consider an update to dns-root-data in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.  In particular, it
removes a DNSSEC root key that is expired.

For future DNSSEC root key rollovers, we should do something better than
a package upgrade (see https://bugs.debian.org/925349) but for now this
is the least restrictive change.

The debdiff from the previous version in stretch is attached.

This proposed release is also available at the
"debian/2019031302_deb9u1" tag on the "debian/stretch" branch at
the git repo for dns-root-data packaging:

    https://salsa.debian.org/dns-team/dns-root-data

Please followup on this ticket to confirm whether I should upload this
revision to stretch.

Thanks for helping to maintain debian's stable release!

       --dkg


diff --git publicsuffix-2017072601~deb9u1/debian/changelog publicsuffix-2019031302~deb9u1/debian/changelog
index 036aebe..660bdd3 100644
--- publicsuffix-2017072601~deb9u1/debian/changelog
+++ publicsuffix-2019031302~deb9u1/debian/changelog
@@ -1,3 +1,19 @@
+dns-root-data (2019031302~deb9u1) stretch; urgency=medium
+
+  * Rebuild for stretch-backports.
+  * d/control: move Vcs-* to salsa.debian.org
+  * d/control: use dns-root-data@packages.debian.org as Maintainer
+  * sort generated .ds files by key tag
+  * Update root.hints to 2018013001
+  * Update order of root.key to follow output of unbound-anchor
+  * use DEP-14 branches
+  * update root data to 2019031302
+  * parse-root-anchors.sh: account for validity windows
+  * check: deliberately skip the TTL generated by ldns-key2ds
+  * add myself to uploaders
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 23 Mar 2019 15:43:27 +0100
+
 dns-root-data (2017072601~deb9u1) stretch; urgency=high
 
   * Update root.hints to 2017072601 version
diff --git publicsuffix-2017072601~deb9u1/debian/control publicsuffix-2019031302~deb9u1/debian/control
index 8413872..bd0ab25 100644
--- publicsuffix-2017072601~deb9u1/debian/control
+++ publicsuffix-2019031302~deb9u1/debian/control
@@ -1,8 +1,9 @@
 Source: dns-root-data
 Section: misc
 Priority: optional
-Maintainer: Debian DNS Maintainers <pkg-dns-devel@lists.alioth.debian.org>
+Maintainer: dns-root-data packagers <dns-root-data@packages.debian.org>
 Uploaders: Ondřej Surý <ondrej@debian.org>,
+           Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
 	   Robert Edmonds <edmonds@debian.org>
 Build-Depends: debhelper (>= 8.0.0),
 	       unbound-anchor,
@@ -11,8 +12,8 @@ Build-Depends: debhelper (>= 8.0.0),
 	       xml2
 Standards-Version: 3.9.6
 Homepage: https://data.iana.org/root-anchors/
-Vcs-Git: git://git.debian.org/pkg-dns/dns-root-data.git
-Vcs-Browser: http://git.debian.org/?p=pkg-dns/dns-root-data.git;a=summary
+Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git -b debian/stretch
+Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
 
 Package: dns-root-data
 Architecture: all
diff --git publicsuffix-2017072601~deb9u1/debian/gbp.conf publicsuffix-2019031302~deb9u1/debian/gbp.conf
index 3b27f6d..9453f5b 100644
--- publicsuffix-2017072601~deb9u1/debian/gbp.conf
+++ publicsuffix-2019031302~deb9u1/debian/gbp.conf
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch = master-stretch
+debian-branch = debian/stretch
diff --git publicsuffix-2017072601~deb9u1/debian/rules publicsuffix-2019031302~deb9u1/debian/rules
index b697fc0..453b594 100755
--- publicsuffix-2017072601~deb9u1/debian/rules
+++ publicsuffix-2019031302~deb9u1/debian/rules
@@ -15,13 +15,13 @@ override_dh_auto_build:
 	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
 
 	# Create key from validated root-anchors.xml
-	./parse-root-anchors.sh < root-anchors.xml > root-anchors.ds
+	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
 	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' > root.ds
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
 
 	# Compare the DS from root.key and from root-anchors.xml
-	diff root-anchors.ds root.ds
+	diff -u root-anchors.ds root.ds
 
 override_dh_auto_clean:
 	rm -f root-anchors.ds root.ds
diff --git publicsuffix-2017072601~deb9u1/parse-root-anchors.sh publicsuffix-2019031302~deb9u1/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2017072601~deb9u1/parse-root-anchors.sh
+++ publicsuffix-2019031302~deb9u1/parse-root-anchors.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 
 export IFS="="
 xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
 	"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
 	"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
 	"/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+	"/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";;
+	"/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";;
 	"/TrustAnchor/KeyDigest/Digest")
 	    DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")"
 	    if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then
 		echo "Missing some KeyDigest parameter"
 		exit 1
 	    fi
-	    printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
-	    unset KTAG ALGO DTYPE DIGEST
+            if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then
+                printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2
+            elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then
+                printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2
+            else
+	        printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
+            fi
+	    unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 	    ;;
     esac
 done
diff --git publicsuffix-2017072601~deb9u1/root-anchors.p7s publicsuffix-2019031302~deb9u1/root-anchors.p7s
index ee06fe5..ff40c7a 100644
Binary files publicsuffix-2017072601~deb9u1/root-anchors.p7s and publicsuffix-2019031302~deb9u1/root-anchors.p7s differ
diff --git publicsuffix-2017072601~deb9u1/root-anchors.xml publicsuffix-2019031302~deb9u1/root-anchors.xml
index bf84089..3536f08 100644
--- publicsuffix-2017072601~deb9u1/root-anchors.xml
+++ publicsuffix-2019031302~deb9u1/root-anchors.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml";>
 <Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00">
 <KeyTag>19036</KeyTag>
 <Algorithm>8</Algorithm>
 <DigestType>2</DigestType>
diff --git publicsuffix-2017072601~deb9u1/root.hints publicsuffix-2019031302~deb9u1/root.hints
index 86cd815..cfb7094 100644
--- publicsuffix-2017072601~deb9u1/root.hints
+++ publicsuffix-2019031302~deb9u1/root.hints
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     July 26, 2017 
-;       related version of root zone:     2017072601
+;       last update:     March 13, 2019 
+;       related version of root zone:     2019031302
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
@@ -21,7 +21,7 @@ A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
 ; FORMERLY NS1.ISI.EDU 
 ;
 .                        3600000      NS    B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
 B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
 ; 
 ; FORMERLY C.PSI.NET 
diff --git publicsuffix-2017072601~deb9u1/root.key publicsuffix-2019031302~deb9u1/root.key
index af563d6..e8941ce 100644
--- publicsuffix-2017072601~deb9u1/root.key
+++ publicsuffix-2019031302~deb9u1/root.key
@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ]
-.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]

Attachment: signature.asc
Description: PGP signature

Reply to: