Control: tags -1 + pending
Hi,
> ICANN will roll the DNSSEC root zone KSK in October 2017. DNSSEC-enabled
> resolvers will then stop working unless they have the new key configured
> to be trusted (note that in the default configuration a running BIND will
> learn and store the new key using RFC5011 (managed-keys), but a new
> installation will be broken).
>
> The patch attached is generated by diffing ./bind.keys{.h} from BIND 9.10.3-P4
> to BIND 9.10.5, where the changelog reads
>
> 4564. [maint] Update the built in managed keys to include the
> upcoming root KSK. [RT #44579]
>
> Another way would be Bug#760459, but this will probably be too intrusive for
> jessie and stretch.
I have NMUed 9.10.3.dfsg.P4-12.6 to DELAYED/7 with the attached diff,
feel free to cancel/supersede if you start working on bind again.
Note that this also needs to be fixed in Stretch and Jessie (at least),
preferably soonish. I'll contact the SRMs about this as soon as the fix
reaches testing.
Best Regards,
Bernhard
diff -Nru bind9-9.10.3.dfsg.P4/debian/changelog bind9-9.10.3.dfsg.P4/debian/changelog
--- bind9-9.10.3.dfsg.P4/debian/changelog 2017-07-21 22:28:32.000000000 +0200
+++ bind9-9.10.3.dfsg.P4/debian/changelog 2017-08-11 19:10:07.000000000 +0200
@@ -1,3 +1,10 @@
+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
+
+ -- Bernhard Schmidt <be...@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
+
bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/860794-new-dnssec-keys.patch bind9-9.10.3.dfsg.P4/debian/patches/860794-new-dnssec-keys.patch
--- bind9-9.10.3.dfsg.P4/debian/patches/860794-new-dnssec-keys.patch 1970-01-01 01:00:00.000000000 +0100
+++ bind9-9.10.3.dfsg.P4/debian/patches/860794-new-dnssec-keys.patch 2017-08-11 19:10:07.000000000 +0200
@@ -0,0 +1,266 @@
+From: Bernhard Schmidt <be...@debian.org>
+Subject: Add upcoming DNSSEC KSK-2017 root key
+ .
+ 4564. [maint] Update the built in managed keys to include the
+ upcoming root KSK. [RT #44579]
+Origin: upstream, diff between 9.10.3-P4 and 9.10.5
+Bug: https://bugs.isc.org/Public/Bug/Display.html?id=44579
+Bug-Debian: https://bugs.debian.org/860794
+Forwarded: not-needed
+
+--- bind9-9.10.3.dfsg.P4/bind.keys 2016-02-29 01:29:06.000000000 +0100
++++ bind-9.10.5/bind.keys 2017-04-14 05:54:11.000000000 +0200
+@@ -1,4 +1,3 @@
+-/* $Id: bind.keys,v 1.7 2011/01/03 23:45:07 each Exp $ */
+ # The bind.keys file is used to override the built-in DNSSEC trust anchors
+ # which are included as part of BIND 9. As of the current release, the only
+ # trust anchors it contains are those for the DNS root zone ("."), and for
+@@ -15,32 +14,56 @@
+ #
+ # This file is NOT expected to be user-configured.
+ #
+-# These keys are current as of January 2011. If any key fails to
++# These keys are current as of Feburary 2017. If any key fails to
+ # initialize correctly, it may have expired. In that event you should
+ # replace this file with a current version. The latest version of
+ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+
+ managed-keys {
+- # ISC DLV: See https://www.isc.org/solutions/dlv for details.
+- # NOTE: This key is activated by setting "dnssec-lookaside auto;"
+- # in named.conf.
+- dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
+- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
+- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
+- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
+- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
+- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
+- TDN0YUuWrBNh";
++ # ISC DLV: See https://www.isc.org/solutions/dlv for details.
++ #
++ # NOTE: The ISC DLV zone is being phased out as of February 2017;
++ # the key will remain in place but the zone will be otherwise empty.
++ # Configuring "dnssec-lookaside auto;" to activate this key is
++ # harmless, but is no longer useful and is not recommended.
++ dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
++ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
++ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
++ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
++ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
++ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
++ TDN0YUuWrBNh";
+
+- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml
+- # for current trust anchor information.
+- # NOTE: This key is activated by setting "dnssec-validation auto;"
++ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
++ # for current trust anchor information.
++ #
++ # These keys are activated by setting "dnssec-validation auto;"
+ # in named.conf.
+- . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+- QxA+Uk1ihz0=";
++ #
++ # This key (19036) is to be phased out starting in 2017. It will
++ # remain in the root zone for some time after its successor key
++ # has been added. It will remain this file until it is removed from
++ # the root zone.
++ . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
++ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
++ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
++ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
++ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
++ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
++ QxA+Uk1ihz0=";
++
++ # This key (20326) is to be published in the root zone in 2017.
++ # Servers which were already using the old key (19036) should
++ # roll seamlessly to this new one via RFC 5011 rollover. Servers
++ # being set up for the first time can use the contents of this
++ # file as initializing keys; thereafter, the keys in the
++ # managed key database will be trusted and maintained
++ # automatically.
++ . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
++ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
++ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
++ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
++ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
++ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
++ R1AkUTV74bU=";
+ };
+--- bind9-9.10.3.dfsg.P4/bind.keys.h 2016-02-29 01:29:06.000000000 +0100
++++ bind-9.10.5/bind.keys.h 2017-04-14 05:54:11.000000000 +0200
+@@ -1,7 +1,3 @@
+-/*
+- * Generated by bindkeys.pl 1.7 2011/01/04 23:47:13 tbox Exp
+- * From bind.keys 1.7 2011/01/03 23:45:07 each Exp
+- */
+ #define TRUSTED_KEYS "\
+ # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
+ # which are included as part of BIND 9. As of the current release, the only\n\
+@@ -19,34 +15,58 @@
+ #\n\
+ # This file is NOT expected to be user-configured.\n\
+ #\n\
+-# These keys are current as of January 2011. If any key fails to\n\
++# These keys are current as of Feburary 2017. If any key fails to\n\
+ # initialize correctly, it may have expired. In that event you should\n\
+ # replace this file with a current version. The latest version of\n\
+ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+ \n\
+ trusted-keys {\n\
+- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+- # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
+- # in named.conf.\n\
+- dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+- TDN0YUuWrBNh\";\n\
+-\n\
+- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+- # for current trust anchor information.\n\
+- # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
++ # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
++ #\n\
++ # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
++ # the key will remain in place but the zone will be otherwise empty.\n\
++ # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
++ # harmless, but is no longer useful and is not recommended.\n\
++ dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
++ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
++ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
++ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
++ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
++ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
++ TDN0YUuWrBNh\";\n\
++\n\
++ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
++ # for current trust anchor information.\n\
++ #\n\
++ # These keys are activated by setting \"dnssec-validation auto;\"\n\
+ # in named.conf.\n\
+- . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+- QxA+Uk1ihz0=\";\n\
++ #\n\
++ # This key (19036) is to be phased out starting in 2017. It will\n\
++ # remain in the root zone for some time after its successor key\n\
++ # has been added. It will remain this file until it is removed from\n\
++ # the root zone.\n\
++ . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
++ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
++ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
++ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
++ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
++ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
++ QxA+Uk1ihz0=\";\n\
++\n\
++ # This key (20326) is to be published in the root zone in 2017.\n\
++ # Servers which were already using the old key (19036) should\n\
++ # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
++ # being set up for the first time can use the contents of this\n\
++ # file as initializing keys; thereafter, the keys in the\n\
++ # managed key database will be trusted and maintained\n\
++ # automatically.\n\
++ . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
++ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
++ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
++ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
++ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
++ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
++ R1AkUTV74bU=\";\n\
+ };\n\
+ "
+
+@@ -67,33 +87,57 @@
+ #\n\
+ # This file is NOT expected to be user-configured.\n\
+ #\n\
+-# These keys are current as of January 2011. If any key fails to\n\
++# These keys are current as of Feburary 2017. If any key fails to\n\
+ # initialize correctly, it may have expired. In that event you should\n\
+ # replace this file with a current version. The latest version of\n\
+ # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+ \n\
+ managed-keys {\n\
+- # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
+- # NOTE: This key is activated by setting \"dnssec-lookaside auto;\"\n\
+- # in named.conf.\n\
+- dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
+- brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
+- 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
+- ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
+- Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
+- QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
+- TDN0YUuWrBNh\";\n\
+-\n\
+- # ROOT KEY: See https://data.iana.org/root-anchors/root-anchors.xml\n\
+- # for current trust anchor information.\n\
+- # NOTE: This key is activated by setting \"dnssec-validation auto;\"\n\
++ # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
++ #\n\
++ # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
++ # the key will remain in place but the zone will be otherwise empty.\n\
++ # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
++ # harmless, but is no longer useful and is not recommended.\n\
++ dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
++ brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
++ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
++ ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
++ Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
++ QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
++ TDN0YUuWrBNh\";\n\
++\n\
++ # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
++ # for current trust anchor information.\n\
++ #\n\
++ # These keys are activated by setting \"dnssec-validation auto;\"\n\
+ # in named.conf.\n\
+- . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
+- FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
+- bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
+- X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
+- W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
+- Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
+- QxA+Uk1ihz0=\";\n\
++ #\n\
++ # This key (19036) is to be phased out starting in 2017. It will\n\
++ # remain in the root zone for some time after its successor key\n\
++ # has been added. It will remain this file until it is removed from\n\
++ # the root zone.\n\
++ . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\
++ FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\
++ bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\
++ X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\
++ W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\
++ Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
++ QxA+Uk1ihz0=\";\n\
++\n\
++ # This key (20326) is to be published in the root zone in 2017.\n\
++ # Servers which were already using the old key (19036) should\n\
++ # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
++ # being set up for the first time can use the contents of this\n\
++ # file as initializing keys; thereafter, the keys in the\n\
++ # managed key database will be trusted and maintained\n\
++ # automatically.\n\
++ . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
++ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
++ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
++ 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e\n\
++ oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
++ RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
++ R1AkUTV74bU=\";\n\
+ };\n\
+ "
diff -Nru bind9-9.10.3.dfsg.P4/debian/patches/series bind9-9.10.3.dfsg.P4/debian/patches/series
--- bind9-9.10.3.dfsg.P4/debian/patches/series 2017-07-21 22:28:32.000000000 +0200
+++ bind9-9.10.3.dfsg.P4/debian/patches/series 2017-08-11 19:10:07.000000000 +0200
@@ -32,3 +32,5 @@
CVE-2017-3138.patch
CVE-2017-3142+CVE-2017-3143.patch
4647.-bug-Change-4643-broke-verification-of-TSIG-sig.patch
+
+860794-new-dnssec-keys.patch
