Bug#925376: marked as done (unblock: dns-root-data/2019031302)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 24 Mar 2019 14:47:00 +0000
with message-id <0b35c97d-7605-1f9f-75aa-723da1d7b3f4@thykier.net>
and subject line Re: Bug#925376: unblock: dns-root-data/2019031302
has caused the Debian Bug report #925376,
regarding unblock: dns-root-data/2019031302
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925376
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: unblock: dns-root-data/2019031302
• From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
• Date: Sat, 23 Mar 2019 23:34:18 +0100
• Message-id: <[🔎] 87ef6xjk45.fsf@fifthhorseman.net>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Control: block -1 by 925374 
Control: affects -1 + src:dns-root-data

Please unblock package dns-root-data, package version 2019031302.

This closes serious bug #925374 ("dns-root-data: ships an obsolete root
zone signing key"), which notes that the older versions of dns-root-data
ship with a root key that is now expired.  This is not the absolute
worst thing, because they *also* ship with the functional, current root
key.  But it is not a good idea to leave this sort of thing lying
around, and we probably don't want to release it in buster.

the debdiff between 2018091102 and 2019031302 is attached.  It's a bit
more complex than just dropping the keys from the distributed files,
because it includes a few extra verification steps during package build,
and accounts for the validity window described in iana's
root-anchors.xml.

The binary diff is actually much smaller :)

To properly avoid this sort of delay for future planned
rollovers/transition, i think we need marginally more sophisticated
binary packages, which i've started a discussion on in #925349.  But
that work isn't relevant directly for the upcoming buster release.

Thanks for your work on debian buster, and sorry for the extra unblock
hassle here,

        --dkg

unblock dns-root-data/2019031302

diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog
index 68800a6..8a4a8b3 100644
--- publicsuffix-2018091102/debian/changelog
+++ publicsuffix-2019031302/debian/changelog
@@ -1,3 +1,15 @@
+dns-root-data (2019031302) unstable; urgency=medium
+
+  * cryptographically verify root.hints
+  * get_orig_source: refresh root-anchors.{xml,p7s} as well
+  * update root data to 2019031302
+  * standards-version: bump to 4.3.0 (no changes needed)
+  * parse-root-anchors.sh: account for validity windows
+  * check: deliberately skip the TTL generated by ldns-key2ds
+  * dns-root-data is Multi-Arch: foreign
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 23 Mar 2019 15:33:17 +0100
+
 dns-root-data (2018091102) unstable; urgency=medium
 
   * new upstream version of root.hints, 2018091102
diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control
index 940e507..7295849 100644
--- publicsuffix-2018091102/debian/control
+++ publicsuffix-2019031302/debian/control
@@ -8,11 +8,12 @@ Uploaders:
  Robert Edmonds <edmonds@debian.org>,
 Build-Depends:
  debhelper (>= 11~),
+ gpgv,
  ldnsutils,
  openssl,
  unbound-anchor,
  xml2,
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
 Homepage: https://data.iana.org/root-anchors/
 Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
 Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
@@ -20,6 +21,7 @@ Rules-Requires-Root: no
 
 Package: dns-root-data
 Architecture: all
+Multi-Arch: foreign
 Depends:
  ${misc:Depends},
 Description: DNS root data including root zone and DNSSEC key
diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules
index 3c46b59..5fe3d9a 100755
--- publicsuffix-2018091102/debian/rules
+++ publicsuffix-2019031302/debian/rules
@@ -14,11 +14,14 @@ override_dh_auto_build:
 	# Verify root-anchors.xml using OpenSSL
 	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
 
+	# Verify root.hints
+	gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+
 	# Create key from validated root-anchors.xml
 	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
 	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
 
 	# Compare the DS from root.key and from root-anchors.xml
 	diff -u root-anchors.ds root.ds
@@ -35,3 +38,7 @@ get_orig_source:
 	< $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
 	rm $(CURDIR)/root-auto.key
 	wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root";
+	wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig";
+	# get root-anchors.xml and root-anchors.p7s as well
+	wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml'
+	wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s'
diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2018091102/parse-root-anchors.sh
+++ publicsuffix-2019031302/parse-root-anchors.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 
 export IFS="="
 xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
 	"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
 	"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
 	"/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+	"/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";;
+	"/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";;
 	"/TrustAnchor/KeyDigest/Digest")
 	    DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")"
 	    if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then
 		echo "Missing some KeyDigest parameter"
 		exit 1
 	    fi
-	    printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
-	    unset KTAG ALGO DTYPE DIGEST
+            if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then
+                printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2
+            elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then
+                printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2
+            else
+	        printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
+            fi
+	    unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 	    ;;
     esac
 done
diff --git publicsuffix-2018091102/registry-admin.key publicsuffix-2019031302/registry-admin.key
new file mode 100644
index 0000000..9c0fb78
Binary files /dev/null and publicsuffix-2019031302/registry-admin.key differ
diff --git publicsuffix-2018091102/root-anchors.p7s publicsuffix-2019031302/root-anchors.p7s
index ee06fe5..ff40c7a 100644
Binary files publicsuffix-2018091102/root-anchors.p7s and publicsuffix-2019031302/root-anchors.p7s differ
diff --git publicsuffix-2018091102/root-anchors.xml publicsuffix-2019031302/root-anchors.xml
index bf84089..3536f08 100644
--- publicsuffix-2018091102/root-anchors.xml
+++ publicsuffix-2019031302/root-anchors.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml";>
 <Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00">
 <KeyTag>19036</KeyTag>
 <Algorithm>8</Algorithm>
 <DigestType>2</DigestType>
diff --git publicsuffix-2018091102/root.hints publicsuffix-2019031302/root.hints
index 3c7d257..cfb7094 100644
--- publicsuffix-2018091102/root.hints
+++ publicsuffix-2019031302/root.hints
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     September 11, 2018 
-;       related version of root zone:     2018091102
+;       last update:     March 13, 2019 
+;       related version of root zone:     2019031302
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
diff --git publicsuffix-2018091102/root.hints.sig publicsuffix-2019031302/root.hints.sig
new file mode 100644
index 0000000..484ecc9
Binary files /dev/null and publicsuffix-2019031302/root.hints.sig differ
diff --git publicsuffix-2018091102/root.key publicsuffix-2019031302/root.key
index 956fbbd..e8941ce 100644
--- publicsuffix-2018091102/root.key
+++ publicsuffix-2019031302/root.key
@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]
-.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ]
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 925376-done@bugs.debian.org
• Subject: Re: Bug#925376: unblock: dns-root-data/2019031302
• From: Niels Thykier <niels@thykier.net>
• Date: Sun, 24 Mar 2019 14:47:00 +0000
• Message-id: <0b35c97d-7605-1f9f-75aa-723da1d7b3f4@thykier.net>
• In-reply-to: <[🔎] 87ef6xjk45.fsf@fifthhorseman.net>
• References: <[🔎] 87ef6xjk45.fsf@fifthhorseman.net>

Daniel Kahn Gillmor:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Control: block -1 by 925374 
> Control: affects -1 + src:dns-root-data
> 
> Please unblock package dns-root-data, package version 2019031302.
> 
> [...]
> 
>         --dkg
> 
> unblock dns-root-data/2019031302
> 

Unblocked, thanks.

~Niels

--- End Message ---