Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu
Control: affects -1 dns-root-data
Control: blocks 877683 -1
the version of dns-root-data in jessie (2017072601~deb8u1) only ships
one entry in /usr/share/root.ds. see https://bugs.debian.org/877683
I've cherry-picked a few changes from the master branch which
accomodate the new situation at ICANN and use a different toolchain to
produce root.ds that can handle multiple keys. This should probably
go into jessie sooner rather than later, though we have a bit of a
reprieve since the root key rollover has been postponed for the moment.
You can see that work on the master-jessie branch at
https://anonscm.debian.org/git/pkg-dns/dns-root-data.git
I'm attaching the debdiff here as well.
--dkg
-- System Information:
Debian Release: buster/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'testing'), (500, 'oldstable'),
(200, 'unstable-debug'), (200, 'unstable'), (1, 'experimental-debug'), (1,
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru dns-root-data-2017072601~deb8u1/debian/changelog
dns-root-data-2017072601~deb8u2/debian/changelog
--- dns-root-data-2017072601~deb8u1/debian/changelog 2017-08-23
03:09:51.000000000 -0400
+++ dns-root-data-2017072601~deb8u2/debian/changelog 2017-10-19
18:27:04.000000000 -0400
@@ -1,3 +1,15 @@
+dns-root-data (2017072601~deb8u2) jessie-updates; urgency=medium
+
+ [ Ondřej Surý ]
+ * Update IANA DNSSEC files to 2017-02-02 versions
+ * Strip the GPG verification (IANA doesn't provide it anymore)
+ * Rewrite DS creation check (Closes: #877683)
+
+ [ Daniel Kahn Gillmor ]
+ * added myself to uploaders
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Thu, 19 Oct 2017 18:25:06
-0400
+
dns-root-data (2017072601~deb8u1) jessie; urgency=high
* Add KSK-2017 to root.key file
diff -Nru dns-root-data-2017072601~deb8u1/debian/control
dns-root-data-2017072601~deb8u2/debian/control
--- dns-root-data-2017072601~deb8u1/debian/control 2017-08-23
03:09:51.000000000 -0400
+++ dns-root-data-2017072601~deb8u2/debian/control 2017-10-19
18:19:07.000000000 -0400
@@ -2,13 +2,13 @@
Section: misc
Priority: optional
Maintainer: Ondřej Surý <ond...@debian.org>
-Uploaders: Robert Edmonds <edmo...@debian.org>
+Uploaders: Robert Edmonds <edmo...@debian.org>,
+ Daniel Kahn Gillmor <d...@fifthhorseman.net>
Build-Depends: debhelper (>= 8.0.0),
unbound-anchor,
openssl,
- gnupg2,
- bind9utils,
- libxml2-utils
+ ldnsutils,
+ xml2
Standards-Version: 3.9.5
Homepage: https://data.iana.org/root-anchors/
#Vcs-Git: git://git.debian.org/collab-maint/dns-root-data.git
diff -Nru dns-root-data-2017072601~deb8u1/debian/rules
dns-root-data-2017072601~deb8u2/debian/rules
--- dns-root-data-2017072601~deb8u1/debian/rules 2017-08-23
03:09:51.000000000 -0400
+++ dns-root-data-2017072601~deb8u2/debian/rules 2017-10-19
18:19:07.000000000 -0400
@@ -14,25 +14,11 @@
# Verify root-anchors.xml using OpenSSL
openssl smime -verify -noverify -inform DER -in root-anchors.p7s
-content root-anchors.xml
- # Verify root-anchors.xml using OpenPGP
- mkdir -m 0700 -p $(CURDIR)/.gnupg/
- GNUPGHOME=$(CURDIR)/.gnupg/ gpg2 --quiet --import $(CURDIR)/icann.pgp
- echo "2FBB91BCAAEE0ABE1F8031C7D1AFBCE00F6C91D2:6:" | \
- GNUPGHOME=$(CURDIR)/.gnupg/ gpg2 --quiet --import-ownertrust
- GNUPGHOME=$(CURDIR)/.gnupg/ gpg2 --quiet --verify root-anchors.asc
root-anchors.xml
- rm -rf .gnupg/
-
# Create key from validated root-anchors.xml
- echo \
- "$$(xmllint --xpath '//TrustAnchor/Zone/text()' root-anchors.xml) IN
DS" \
- "$$(xmllint --xpath '//TrustAnchor/KeyDigest/KeyTag/text()'
root-anchors.xml)" \
- "$$(xmllint --xpath '//TrustAnchor/KeyDigest/Algorithm/text()'
root-anchors.xml)" \
- "$$(xmllint --xpath '//TrustAnchor/KeyDigest/DigestType/text()'
root-anchors.xml)" \
- "$$(xmllint --xpath '//TrustAnchor/KeyDigest/Digest/text()'
root-anchors.xml)" > \
- root-anchors.ds
+ ./parse-root-anchors.sh < root-anchors.xml > root-anchors.ds
# Create key from downloaded root.key
- /usr/sbin/dnssec-dsfromkey -2 root.key > root.ds
+ /usr/bin/ldns-key2ds -n -2 root.key > root.ds
# Compare the DS from root.key and from root-anchors.xml
diff root-anchors.ds root.ds
diff -Nru dns-root-data-2017072601~deb8u1/icannbundle.pem
dns-root-data-2017072601~deb8u2/icannbundle.pem
--- dns-root-data-2017072601~deb8u1/icannbundle.pem 2017-08-23
03:09:51.000000000 -0400
+++ dns-root-data-2017072601~deb8u2/icannbundle.pem 2017-10-19
18:19:07.000000000 -0400
@@ -78,92 +78,12 @@
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 2 (0x2)
+ Serial Number: 11 (0xb)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA,
C=US
Validity
- Not Before: Dec 23 04:45:04 2009 GMT
- Not After : Dec 22 04:45:04 2014 GMT
- Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dns...@icann.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64:
- 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e:
- 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c:
- 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25:
- b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a:
- b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87:
- b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59:
- 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6:
- f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be:
- 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70:
- 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45:
- 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a:
- c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d:
- 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6:
- e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7:
- 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03:
- 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6:
- e9:05
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment, Key Agreement, Certificate Sign, CRL Sign
- X509v3 Authority Key Identifier:
-
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
-
- X509v3 Subject Key Identifier:
- 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22
- Signature Algorithm: sha256WithRSAEncryption
- 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45:
- 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15:
- d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33:
- f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c:
- f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75:
- e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd:
- 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73:
- 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13:
- cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20:
- 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb:
- 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79:
- c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e:
- a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2:
- 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48:
- e5:8d:06:73
------BEGIN CERTIFICATE-----
-MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
-TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX
-DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O
-IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ
-JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7
-YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI
-aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F
-SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd
-OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA
-AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw
-FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA
-pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI
-89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN
-+pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE
-UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ
-bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP
-oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz
------END CERTIFICATE-----
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 6 (0x6)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA,
C=US
- Validity
- Not Before: Dec 23 05:21:16 2009 GMT
- Not After : Dec 22 05:21:16 2014 GMT
+ Not Before: Nov 8 23:39:47 2016 GMT
+ Not After : Nov 6 23:39:47 2026 GMT
Subject: O=ICANN, CN=ICANN EMAIL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -192,33 +112,33 @@
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment, Key Agreement, Certificate Sign, CRL Sign
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
Signature Algorithm: sha256WithRSAEncryption
- 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf:
- b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76:
- 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b:
- 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7:
- 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd:
- 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb:
- 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32:
- c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a:
- 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43:
- a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3:
- d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94:
- 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed:
- 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0:
- 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed:
- ed:42:eb:2f
+ 0e:8a:c9:ea:6f:9c:e9:23:b6:9c:a6:a4:c2:d1:b1:ee:25:18:
+ 24:2b:79:d4:a8:f2:99:b9:5c:91:4d:e6:2b:32:2e:01:f5:87:
+ 95:64:fc:6d:f1:87:fa:24:b4:43:4b:49:f3:84:54:44:eb:af:
+ 41:ab:49:ab:c8:b7:32:6c:14:83:5b:d7:2c:41:f9:89:d5:c4:
+ 2b:9a:55:c5:b6:ad:17:d5:4d:bc:41:58:56:72:0d:db:b7:7d:
+ 57:c6:a2:9c:7e:6b:67:ae:26:f8:26:45:bb:c4:95:2e:ea:71:
+ e3:b4:7a:69:95:a4:8a:80:f8:59:dc:88:6e:e1:a7:fc:bb:8e:
+ b2:aa:a8:b6:1b:2f:2c:97:a5:12:d5:82:ae:a0:e8:a6:15:fd:
+ d1:e0:5d:e4:84:b1:76:db:0a:e2:ca:58:2e:d3:df:48:4e:46:
+ ac:c6:35:79:17:99:ce:e9:be:2c:e4:c2:50:ff:5b:96:15:cd:
+ 64:ac:1b:db:fe:d2:ac:43:61:c8:5f:ee:24:b6:a4:3b:d2:ff:
+ 0a:f4:0c:88:58:a1:9d:a4:c1:1f:6a:6c:67:90:98:e8:1f:5e:
+ 2d:55:60:91:26:2a:b1:66:80:e4:e6:0e:05:2c:75:a9:ca:0b:
+ e4:a0:8f:e1:47:a8:8f:61:5d:7c:ce:09:60:88:48:c3:46:bf:
+ be:7e:36:be
-----BEGIN CERTIFICATE-----
-MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+MIIDZDCCAkygAwIBAgIBCzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX
-DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzk0N1oX
+DTI2MTEwNjIzMzk0N1owKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
@@ -226,24 +146,24 @@
ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
-AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
-ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj
-vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK
-TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7
-06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL
-aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68
-y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57
-dMvE7e1C6y8=
+AwIBBjAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
+ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAA6KyepvnOkj
+tpympMLRse4lGCQredSo8pm5XJFN5isyLgH1h5Vk/G3xh/oktENLSfOEVETrr0Gr
+SavItzJsFINb1yxB+YnVxCuaVcW2rRfVTbxBWFZyDdu3fVfGopx+a2euJvgmRbvE
+lS7qceO0emmVpIqA+FnciG7hp/y7jrKqqLYbLyyXpRLVgq6g6KYV/dHgXeSEsXbb
+CuLKWC7T30hORqzGNXkXmc7pvizkwlD/W5YVzWSsG9v+0qxDYchf7iS2pDvS/wr0
+DIhYoZ2kwR9qbGeQmOgfXi1VYJEmKrFmgOTmDgUsdanKC+Sgj+FHqI9hXXzOCWCI
+SMNGv75+Nr4=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
- Serial Number: 3 (0x3)
+ Serial Number: 10 (0xa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA,
C=US
Validity
- Not Before: Dec 23 05:07:29 2009 GMT
- Not After : Dec 22 05:07:29 2014 GMT
+ Not Before: Nov 8 23:38:16 2016 GMT
+ Not After : Nov 6 23:38:16 2026 GMT
Subject: O=ICANN, CN=ICANN SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
@@ -272,33 +192,33 @@
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
- Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment, Key Agreement, Certificate Sign, CRL Sign
+ Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
Signature Algorithm: sha256WithRSAEncryption
- 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43:
- 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6:
- 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd:
- fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9:
- 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93:
- 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34:
- af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9:
- af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e:
- bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c:
- 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b:
- 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85:
- fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa:
- 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af:
- aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd:
- 2c:fe:c0:ed
+ 47:46:4f:c7:5f:46:e3:d1:dc:fc:2b:f8:fc:65:ce:36:b1:f4:
+ 5f:ee:14:75:a3:d9:5f:de:75:4b:fa:7b:88:9f:10:8c:2e:97:
+ cc:35:1b:ce:24:d3:36:60:95:d5:ae:11:b6:3f:8b:f4:12:69:
+ 85:b5:3b:2a:b6:ab:7a:81:85:c2:55:57:ed:d0:b5:e7:4f:54:
+ 37:51:24:c9:d5:07:3a:ef:b6:c5:1a:3e:14:29:a7:a6:f8:08:
+ 2a:0b:26:79:f9:62:85:4a:e5:ea:90:ca:71:38:16:91:4e:7e:
+ fd:e3:b3:f3:55:8f:5a:d0:86:cf:33:94:88:f1:90:99:cb:81:
+ e2:81:92:68:2f:c3:61:d5:52:8d:e6:9a:5b:00:83:42:27:88:
+ f6:d9:fa:d1:bc:bb:b0:bc:b5:14:0b:4e:1a:54:ef:fa:d6:9d:
+ c4:0c:fc:ed:15:ab:21:4b:45:b5:d9:3b:ed:3c:d5:1e:2e:7a:
+ 83:6f:24:45:d4:4c:b4:ef:60:43:18:d0:84:5d:16:7b:f5:50:
+ 80:b1:a9:c2:8f:3b:c8:90:08:fd:aa:17:13:19:38:19:d1:8e:
+ 85:7c:1e:57:16:8c:f9:8a:e8:29:25:38:cd:bb:55:8e:4a:6a:
+ 6f:e5:7d:fc:d7:55:d6:ae:38:07:96:c1:97:ff:e5:2b:4f:99:
+ 2d:70:f2:08
-----BEGIN CERTIFICATE-----
-MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+MIIDYjCCAkqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
-BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX
-DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTE2MTEwODIzMzgxNloX
+DTI2MTEwNjIzMzgxNlowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
@@ -306,12 +226,12 @@
kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
-Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
-qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ
-TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM
-fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb
-pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS
-uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW
-vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey
-EN0s/sDt
+AQYwHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
+qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQBHRk/HX0bj0dz8
+K/j8Zc42sfRf7hR1o9lf3nVL+nuInxCMLpfMNRvOJNM2YJXVrhG2P4v0EmmFtTsq
+tqt6gYXCVVft0LXnT1Q3USTJ1Qc677bFGj4UKaem+AgqCyZ5+WKFSuXqkMpxOBaR
+Tn7947PzVY9a0IbPM5SI8ZCZy4HigZJoL8Nh1VKN5ppbAINCJ4j22frRvLuwvLUU
+C04aVO/61p3EDPztFashS0W12TvtPNUeLnqDbyRF1Ey072BDGNCEXRZ79VCAsanC
+jzvIkAj9qhcTGTgZ0Y6FfB5XFoz5iugpJTjNu1WOSmpv5X3811XWrjgHlsGX/+Ur
+T5ktcPII
-----END CERTIFICATE-----
diff -Nru dns-root-data-2017072601~deb8u1/parse-root-anchors.sh
dns-root-data-2017072601~deb8u2/parse-root-anchors.sh
--- dns-root-data-2017072601~deb8u1/parse-root-anchors.sh 1969-12-31
19:00:00.000000000 -0500
+++ dns-root-data-2017072601~deb8u2/parse-root-anchors.sh 2017-10-19
17:56:15.000000000 -0400
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+unset ZONE KTAG ALGO DTYPE DIGEST
+
+TTL=172800
+
+export IFS="="
+xml2 | while read KEY VAL; do
+ case "$KEY" in
+ "/TrustAnchor/Zone") ZONE="$VAL";;
+ "/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";;
+ "/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";;
+ "/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";;
+ "/TrustAnchor/KeyDigest/Digest")
+ DIGEST="$(echo "$VAL" | tr "[A-Z]" "[a-z]")"
+ if [ -z "$ZONE" -o -z "$KTAG" -o -z "$ALGO" -o -z "$DTYPE" ]; then
+ echo "Missing some KeyDigest parameter"
+ exit 1
+ fi
+ echo "$ZONE\t$TTL\tIN\tDS\t$KTAG $ALGO $DTYPE $DIGEST"
+ unset KTAG ALGO DTYPE DIGEST
+ ;;
+ esac
+done
+exit 0
Binary files /tmp/QrU23AQjcp/dns-root-data-2017072601~deb8u1/root-anchors.p7s
and /tmp/kyO_QpQvw1/dns-root-data-2017072601~deb8u2/root-anchors.p7s differ
diff -Nru dns-root-data-2017072601~deb8u1/root-anchors.xml
dns-root-data-2017072601~deb8u2/root-anchors.xml
--- dns-root-data-2017072601~deb8u1/root-anchors.xml 2017-08-23
03:09:51.000000000 -0400
+++ dns-root-data-2017072601~deb8u2/root-anchors.xml 2017-10-19
18:19:07.000000000 -0400
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<TrustAnchor id="AD42165F-3B1A-4778-8F42-D34A1D41FD93"
source="http://data.iana.org/root-anchors/root-anchors.xml";>
+<TrustAnchor id="0AF79DEA-A7CD-43DC-9EDD-AD241CA63AE2"
source="http://data.iana.org/root-anchors/root-anchors.xml";>
<Zone>.</Zone>
<KeyDigest id="Kjqmt7v" validFrom="2010-07-15T00:00:00+00:00">
<KeyTag>19036</KeyTag>
@@ -7,4 +7,10 @@
<DigestType>2</DigestType>
<Digest>49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5</Digest>
</KeyDigest>
+<KeyDigest id="Klajeyz" validFrom="2017-02-02T00:00:00+00:00">
+<KeyTag>20326</KeyTag>
+<Algorithm>8</Algorithm>
+<DigestType>2</DigestType>
+<Digest>E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D</Digest>
+</KeyDigest>
</TrustAnchor>
