[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925376: unblock: dns-root-data/2019031302

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: block -1 by 925374 
Control: affects -1 + src:dns-root-data

Please unblock package dns-root-data, package version 2019031302.

This closes serious bug #925374 ("dns-root-data: ships an obsolete root
zone signing key"), which notes that the older versions of dns-root-data
ship with a root key that is now expired.  This is not the absolute
worst thing, because they *also* ship with the functional, current root
key.  But it is not a good idea to leave this sort of thing lying
around, and we probably don't want to release it in buster.

the debdiff between 2018091102 and 2019031302 is attached.  It's a bit
more complex than just dropping the keys from the distributed files,
because it includes a few extra verification steps during package build,
and accounts for the validity window described in iana's
root-anchors.xml.

The binary diff is actually much smaller :)

To properly avoid this sort of delay for future planned
rollovers/transition, i think we need marginally more sophisticated
binary packages, which i've started a discussion on in #925349.  But
that work isn't relevant directly for the upcoming buster release.

Thanks for your work on debian buster, and sorry for the extra unblock
hassle here,

        --dkg

unblock dns-root-data/2019031302


diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog
index 68800a6..8a4a8b3 100644
--- publicsuffix-2018091102/debian/changelog
+++ publicsuffix-2019031302/debian/changelog
@@ -1,3 +1,15 @@
+dns-root-data (2019031302) unstable; urgency=medium
+
+  * cryptographically verify root.hints
+  * get_orig_source: refresh root-anchors.{xml,p7s} as well
+  * update root data to 2019031302
+  * standards-version: bump to 4.3.0 (no changes needed)
+  * parse-root-anchors.sh: account for validity windows
+  * check: deliberately skip the TTL generated by ldns-key2ds
+  * dns-root-data is Multi-Arch: foreign
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 23 Mar 2019 15:33:17 +0100
+
 dns-root-data (2018091102) unstable; urgency=medium
 
   * new upstream version of root.hints, 2018091102
diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control
index 940e507..7295849 100644
--- publicsuffix-2018091102/debian/control
+++ publicsuffix-2019031302/debian/control
@@ -8,11 +8,12 @@ Uploaders:
  Robert Edmonds <edmonds@debian.org>,
 Build-Depends:
  debhelper (>= 11~),
+ gpgv,
  ldnsutils,
  openssl,
  unbound-anchor,
  xml2,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://data.iana.org/root-anchors/
 Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
 Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
@@ -20,6 +21,7 @@ Rules-Requires-Root: no
 
 Package: dns-root-data
 Architecture: all
+Multi-Arch: foreign
 Depends:
  ${misc:Depends},
 Description: DNS root data including root zone and DNSSEC key
diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules
index 3c46b59..5fe3d9a 100755
--- publicsuffix-2018091102/debian/rules
+++ publicsuffix-2019031302/debian/rules
@@ -14,11 +14,14 @@ override_dh_auto_build:
 	# Verify root-anchors.xml using OpenSSL
 	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
 
+	# Verify root.hints
+	gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+
 	# Create key from validated root-anchors.xml
 	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
 	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
 
 	# Compare the DS from root.key and from root-anchors.xml
 	diff -u root-anchors.ds root.ds
@@ -35,3 +38,7 @@ get_orig_source:
 	< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
 	rm $(CURDIR)/root-auto.key
 	wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root";
+	wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig";
+	# get root-anchors.xml and root-anchors.p7s as well
+	wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml'
+	wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s'
diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2018091102/parse-root-anchors.sh
+++ publicsuffix-2019031302/parse-root-anchors.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 
 export IFS="="
 xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
 	"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
 	"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
 	"/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+	"/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";;
+	"/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";;
 	"/TrustAnchor/KeyDigest/Digest")
 	    DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")"
 	    if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then
 		echo "Missing some KeyDigest parameter"
 		exit 1
 	    fi
-	    printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
-	    unset KTAG ALGO DTYPE DIGEST
+            if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then
+                printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2
+            elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then
+                printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2
+            else
+	        printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
+            fi
+	    unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 	    ;;
     esac
 done
diff --git publicsuffix-2018091102/registry-admin.key publicsuffix-2019031302/registry-admin.key
new file mode 100644
index 0000000..9c0fb78
Binary files /dev/null and publicsuffix-2019031302/registry-admin.key differ
diff --git publicsuffix-2018091102/root-anchors.p7s publicsuffix-2019031302/root-anchors.p7s
index ee06fe5..ff40c7a 100644
Binary files publicsuffix-2018091102/root-anchors.p7s and publicsuffix-2019031302/root-anchors.p7s differ
diff --git publicsuffix-2018091102/root-anchors.xml publicsuffix-2019031302/root-anchors.xml
index bf84089..3536f08 100644
--- publicsuffix-2018091102/root-anchors.xml
+++ publicsuffix-2019031302/root-anchors.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml";>
 <Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00">
 <KeyTag>19036</KeyTag>
 <Algorithm>8</Algorithm>
 <DigestType>2</DigestType>
diff --git publicsuffix-2018091102/root.hints publicsuffix-2019031302/root.hints
index 3c7d257..cfb7094 100644
--- publicsuffix-2018091102/root.hints
+++ publicsuffix-2019031302/root.hints
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     September 11, 2018 
-;       related version of root zone:     2018091102
+;       last update:     March 13, 2019 
+;       related version of root zone:     2019031302
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
diff --git publicsuffix-2018091102/root.hints.sig publicsuffix-2019031302/root.hints.sig
new file mode 100644
index 0000000..484ecc9
Binary files /dev/null and publicsuffix-2019031302/root.hints.sig differ
diff --git publicsuffix-2018091102/root.key publicsuffix-2019031302/root.key
index 956fbbd..e8941ce 100644
--- publicsuffix-2018091102/root.key
+++ publicsuffix-2019031302/root.key
@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]
-.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ]
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]

Attachment: signature.asc
Description: PGP signature

Reply to: