Your message dated Sun, 24 Mar 2019 14:47:00 +0000 with message-id <0b35c97d-7605-1f9f-75aa-723da1d7b3f4@thykier.net> and subject line Re: Bug#925376: unblock: dns-root-data/2019031302 has caused the Debian Bug report #925376, regarding unblock: dns-root-data/2019031302 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 925376: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925376 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: dns-root-data/2019031302
- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
- Date: Sat, 23 Mar 2019 23:34:18 +0100
- Message-id: <[🔎] 87ef6xjk45.fsf@fifthhorseman.net>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Control: block -1 by 925374 Control: affects -1 + src:dns-root-data Please unblock package dns-root-data, package version 2019031302. This closes serious bug #925374 ("dns-root-data: ships an obsolete root zone signing key"), which notes that the older versions of dns-root-data ship with a root key that is now expired. This is not the absolute worst thing, because they *also* ship with the functional, current root key. But it is not a good idea to leave this sort of thing lying around, and we probably don't want to release it in buster. the debdiff between 2018091102 and 2019031302 is attached. It's a bit more complex than just dropping the keys from the distributed files, because it includes a few extra verification steps during package build, and accounts for the validity window described in iana's root-anchors.xml. The binary diff is actually much smaller :) To properly avoid this sort of delay for future planned rollovers/transition, i think we need marginally more sophisticated binary packages, which i've started a discussion on in #925349. But that work isn't relevant directly for the upcoming buster release. Thanks for your work on debian buster, and sorry for the extra unblock hassle here, --dkg unblock dns-root-data/2019031302diff --git publicsuffix-2018091102/debian/changelog publicsuffix-2019031302/debian/changelog index 68800a6..8a4a8b3 100644 --- publicsuffix-2018091102/debian/changelog +++ publicsuffix-2019031302/debian/changelog @@ -1,3 +1,15 @@ +dns-root-data (2019031302) unstable; urgency=medium + + * cryptographically verify root.hints + * get_orig_source: refresh root-anchors.{xml,p7s} as well + * update root data to 2019031302 + * standards-version: bump to 4.3.0 (no changes needed) + * parse-root-anchors.sh: account for validity windows + * check: deliberately skip the TTL generated by ldns-key2ds + * dns-root-data is Multi-Arch: foreign + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 23 Mar 2019 15:33:17 +0100 + dns-root-data (2018091102) unstable; urgency=medium * new upstream version of root.hints, 2018091102 diff --git publicsuffix-2018091102/debian/control publicsuffix-2019031302/debian/control index 940e507..7295849 100644 --- publicsuffix-2018091102/debian/control +++ publicsuffix-2019031302/debian/control @@ -8,11 +8,12 @@ Uploaders: Robert Edmonds <edmonds@debian.org>, Build-Depends: debhelper (>= 11~), + gpgv, ldnsutils, openssl, unbound-anchor, xml2, -Standards-Version: 4.2.1 +Standards-Version: 4.3.0 Homepage: https://data.iana.org/root-anchors/ Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data @@ -20,6 +21,7 @@ Rules-Requires-Root: no Package: dns-root-data Architecture: all +Multi-Arch: foreign Depends: ${misc:Depends}, Description: DNS root data including root zone and DNSSEC key diff --git publicsuffix-2018091102/debian/rules publicsuffix-2019031302/debian/rules index 3c46b59..5fe3d9a 100755 --- publicsuffix-2018091102/debian/rules +++ publicsuffix-2019031302/debian/rules @@ -14,11 +14,14 @@ override_dh_auto_build: # Verify root-anchors.xml using OpenSSL openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml + # Verify root.hints + gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints + # Create key from validated root-anchors.xml ./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds # Create key from downloaded root.key - /usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' | sort -k 4 -n > root.ds + /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds # Compare the DS from root.key and from root-anchors.xml diff -u root-anchors.ds root.ds @@ -35,3 +38,7 @@ get_orig_source: < $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key rm $(CURDIR)/root-auto.key wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root" + wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig" + # get root-anchors.xml and root-anchors.p7s as well + wget -O $(CURDIR)/root-anchors.xml 'http://data.iana.org/root-anchors/root-anchors.xml' + wget -O $(CURDIR)/root-anchors.p7s 'http://data.iana.org/root-anchors/root-anchors.p7s' diff --git publicsuffix-2018091102/parse-root-anchors.sh publicsuffix-2019031302/parse-root-anchors.sh index 4281534..eb1696b 100755 --- publicsuffix-2018091102/parse-root-anchors.sh +++ publicsuffix-2019031302/parse-root-anchors.sh @@ -1,6 +1,6 @@ #!/bin/sh -unset ZONE KTAG ALGO DTYPE DIGEST +unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS export IFS="=" xml2 | while read -r KEY VAL; do @@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do "/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";; "/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";; "/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";; + "/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";; + "/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";; "/TrustAnchor/KeyDigest/Digest") DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")" if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then echo "Missing some KeyDigest parameter" exit 1 fi - printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST" - unset KTAG ALGO DTYPE DIGEST + if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then + printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2 + elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then + printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2 + else + printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST" + fi + unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS ;; esac done diff --git publicsuffix-2018091102/registry-admin.key publicsuffix-2019031302/registry-admin.key new file mode 100644 index 0000000..9c0fb78 Binary files /dev/null and publicsuffix-2019031302/registry-admin.key differ diff --git publicsuffix-2018091102/root-anchors.p7s publicsuffix-2019031302/root-anchors.p7s index ee06fe5..ff40c7a 100644 Binary files publicsuffix-2018091102/root-anchors.p7s and publicsuffix-2019031302/root-anchors.p7s differ diff --git publicsuffix-2018091102/root-anchors.xml publicsuffix-2019031302/root-anchors.xml index bf84089..3536f08 100644 --- publicsuffix-2018091102/root-anchors.xml +++ publicsuffix-2019031302/root-anchors.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="UTF-8"?> -<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml"> +<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml"> <Zone>.</Zone> -<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00"> +<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00"> <KeyTag>19036</KeyTag> <Algorithm>8</Algorithm> <DigestType>2</DigestType> diff --git publicsuffix-2018091102/root.hints publicsuffix-2019031302/root.hints index 3c7d257..cfb7094 100644 --- publicsuffix-2018091102/root.hints +++ publicsuffix-2019031302/root.hints @@ -9,8 +9,8 @@ ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; -; last update: September 11, 2018 -; related version of root zone: 2018091102 +; last update: March 13, 2019 +; related version of root zone: 2019031302 ; ; FORMERLY NS.INTERNIC.NET ; diff --git publicsuffix-2018091102/root.hints.sig publicsuffix-2019031302/root.hints.sig new file mode 100644 index 0000000..484ecc9 Binary files /dev/null and publicsuffix-2019031302/root.hints.sig differ diff --git publicsuffix-2018091102/root.key publicsuffix-2019031302/root.key index 956fbbd..e8941ce 100644 --- publicsuffix-2018091102/root.key +++ publicsuffix-2019031302/root.key @@ -1,2 +1 @@ -. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] -. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [ VALID ] +. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 925376-done@bugs.debian.org
- Subject: Re: Bug#925376: unblock: dns-root-data/2019031302
- From: Niels Thykier <niels@thykier.net>
- Date: Sun, 24 Mar 2019 14:47:00 +0000
- Message-id: <0b35c97d-7605-1f9f-75aa-723da1d7b3f4@thykier.net>
- In-reply-to: <[🔎] 87ef6xjk45.fsf@fifthhorseman.net>
- References: <[🔎] 87ef6xjk45.fsf@fifthhorseman.net>
Daniel Kahn Gillmor: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > Control: block -1 by 925374 > Control: affects -1 + src:dns-root-data > > Please unblock package dns-root-data, package version 2019031302. > > [...] > > --dkg > > unblock dns-root-data/2019031302 > Unblocked, thanks. ~Niels
--- End Message ---