[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#925351: marked as done (stretch-pu: package dns-root-data/2019031302~deb9u1)

Your message dated Sat, 27 Apr 2019 11:14:32 +0100
with message-id <1556360072.2690.35.camel@adam-barratt.org.uk>
and subject line Closing bugs for updates included in 9.9
has caused the Debian Bug report #925351,
regarding stretch-pu: package dns-root-data/2019031302~deb9u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925351
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Control: affects -1 src:dns-root-data

Please consider an update to dns-root-data in debian stretch.

This package reflects the state of the network, and keeping it current
is useful for all the packages that depend on it.  In particular, it
removes a DNSSEC root key that is expired.

For future DNSSEC root key rollovers, we should do something better than
a package upgrade (see https://bugs.debian.org/925349) but for now this
is the least restrictive change.

The debdiff from the previous version in stretch is attached.

This proposed release is also available at the
"debian/2019031302_deb9u1" tag on the "debian/stretch" branch at
the git repo for dns-root-data packaging:

    https://salsa.debian.org/dns-team/dns-root-data

Please followup on this ticket to confirm whether I should upload this
revision to stretch.

Thanks for helping to maintain debian's stable release!

       --dkg


diff --git publicsuffix-2017072601~deb9u1/debian/changelog publicsuffix-2019031302~deb9u1/debian/changelog
index 036aebe..660bdd3 100644
--- publicsuffix-2017072601~deb9u1/debian/changelog
+++ publicsuffix-2019031302~deb9u1/debian/changelog
@@ -1,3 +1,19 @@
+dns-root-data (2019031302~deb9u1) stretch; urgency=medium
+
+  * Rebuild for stretch-backports.
+  * d/control: move Vcs-* to salsa.debian.org
+  * d/control: use dns-root-data@packages.debian.org as Maintainer
+  * sort generated .ds files by key tag
+  * Update root.hints to 2018013001
+  * Update order of root.key to follow output of unbound-anchor
+  * use DEP-14 branches
+  * update root data to 2019031302
+  * parse-root-anchors.sh: account for validity windows
+  * check: deliberately skip the TTL generated by ldns-key2ds
+  * add myself to uploaders
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>  Sat, 23 Mar 2019 15:43:27 +0100
+
 dns-root-data (2017072601~deb9u1) stretch; urgency=high
 
   * Update root.hints to 2017072601 version
diff --git publicsuffix-2017072601~deb9u1/debian/control publicsuffix-2019031302~deb9u1/debian/control
index 8413872..bd0ab25 100644
--- publicsuffix-2017072601~deb9u1/debian/control
+++ publicsuffix-2019031302~deb9u1/debian/control
@@ -1,8 +1,9 @@
 Source: dns-root-data
 Section: misc
 Priority: optional
-Maintainer: Debian DNS Maintainers <pkg-dns-devel@lists.alioth.debian.org>
+Maintainer: dns-root-data packagers <dns-root-data@packages.debian.org>
 Uploaders: Ondřej Surý <ondrej@debian.org>,
+           Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
 	   Robert Edmonds <edmonds@debian.org>
 Build-Depends: debhelper (>= 8.0.0),
 	       unbound-anchor,
@@ -11,8 +12,8 @@ Build-Depends: debhelper (>= 8.0.0),
 	       xml2
 Standards-Version: 3.9.6
 Homepage: https://data.iana.org/root-anchors/
-Vcs-Git: git://git.debian.org/pkg-dns/dns-root-data.git
-Vcs-Browser: http://git.debian.org/?p=pkg-dns/dns-root-data.git;a=summary
+Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git -b debian/stretch
+Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
 
 Package: dns-root-data
 Architecture: all
diff --git publicsuffix-2017072601~deb9u1/debian/gbp.conf publicsuffix-2019031302~deb9u1/debian/gbp.conf
index 3b27f6d..9453f5b 100644
--- publicsuffix-2017072601~deb9u1/debian/gbp.conf
+++ publicsuffix-2019031302~deb9u1/debian/gbp.conf
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch = master-stretch
+debian-branch = debian/stretch
diff --git publicsuffix-2017072601~deb9u1/debian/rules publicsuffix-2019031302~deb9u1/debian/rules
index b697fc0..453b594 100755
--- publicsuffix-2017072601~deb9u1/debian/rules
+++ publicsuffix-2019031302~deb9u1/debian/rules
@@ -15,13 +15,13 @@ override_dh_auto_build:
 	openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
 
 	# Create key from validated root-anchors.xml
-	./parse-root-anchors.sh < root-anchors.xml > root-anchors.ds
+	./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
 
 	# Create key from downloaded root.key
-	/usr/bin/ldns-key2ds -n -2 root.key | sed -e 's/\t/ /g' -e 's/ 172800//' > root.ds
+	/usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
 
 	# Compare the DS from root.key and from root-anchors.xml
-	diff root-anchors.ds root.ds
+	diff -u root-anchors.ds root.ds
 
 override_dh_auto_clean:
 	rm -f root-anchors.ds root.ds
diff --git publicsuffix-2017072601~deb9u1/parse-root-anchors.sh publicsuffix-2019031302~deb9u1/parse-root-anchors.sh
index 4281534..eb1696b 100755
--- publicsuffix-2017072601~deb9u1/parse-root-anchors.sh
+++ publicsuffix-2019031302~deb9u1/parse-root-anchors.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-unset ZONE KTAG ALGO DTYPE DIGEST
+unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 
 export IFS="="
 xml2 | while read -r KEY VAL; do
@@ -9,14 +9,22 @@ xml2 | while read -r KEY VAL; do
 	"/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
 	"/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
 	"/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+	"/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";;
+	"/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";;
 	"/TrustAnchor/KeyDigest/Digest")
 	    DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")"
 	    if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then
 		echo "Missing some KeyDigest parameter"
 		exit 1
 	    fi
-	    printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
-	    unset KTAG ALGO DTYPE DIGEST
+            if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then
+                printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2
+            elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then
+                printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2
+            else
+	        printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST"
+            fi
+	    unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS
 	    ;;
     esac
 done
diff --git publicsuffix-2017072601~deb9u1/root-anchors.p7s publicsuffix-2019031302~deb9u1/root-anchors.p7s
index ee06fe5..ff40c7a 100644
Binary files publicsuffix-2017072601~deb9u1/root-anchors.p7s and publicsuffix-2019031302~deb9u1/root-anchors.p7s differ
diff --git publicsuffix-2017072601~deb9u1/root-anchors.xml publicsuffix-2019031302~deb9u1/root-anchors.xml
index bf84089..3536f08 100644
--- publicsuffix-2017072601~deb9u1/root-anchors.xml
+++ publicsuffix-2019031302~deb9u1/root-anchors.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2" source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="380DC50D-484E-40D0-A3AE-68F2B18F61C7" source="http://data.iana.org/root-anchors/root-anchors.xml";>
 <Zone>.</Zone>
-<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
+<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00" validUntil="2019-01-11T00:00:00+00:00">
 <KeyTag>19036</KeyTag>
 <Algorithm>8</Algorithm>
 <DigestType>2</DigestType>
diff --git publicsuffix-2017072601~deb9u1/root.hints publicsuffix-2019031302~deb9u1/root.hints
index 86cd815..cfb7094 100644
--- publicsuffix-2017072601~deb9u1/root.hints
+++ publicsuffix-2019031302~deb9u1/root.hints
@@ -9,8 +9,8 @@
 ;           on server           FTP.INTERNIC.NET
 ;       -OR-                    RS.INTERNIC.NET
 ; 
-;       last update:     July 26, 2017 
-;       related version of root zone:     2017072601
+;       last update:     March 13, 2019 
+;       related version of root zone:     2019031302
 ; 
 ; FORMERLY NS.INTERNIC.NET 
 ;
@@ -21,7 +21,7 @@ A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
 ; FORMERLY NS1.ISI.EDU 
 ;
 .                        3600000      NS    B.ROOT-SERVERS.NET.
-B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
 B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
 ; 
 ; FORMERLY C.PSI.NET 
diff --git publicsuffix-2017072601~deb9u1/root.key publicsuffix-2019031302~deb9u1/root.key
index af563d6..e8941ce 100644
--- publicsuffix-2017072601~deb9u1/root.key
+++ publicsuffix-2019031302~deb9u1/root.key
@@ -1,2 +1 @@
-.	172800	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ]
-.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]
+.	86400	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Version: 9.9

Hi,

The update referenced by each of these bugs was included in this
morning's stretch point release.

Regards,

Adam

--- End Message ---
Reply to: