[Bug 2086795] Re: New DNSSEC root trust anchor

[Christian Ehrhardt]

Jammy verification:

root@j-sru:~# apt policy dns-root-data
dns-root-data:
  Installed: 2023112702~ubuntu0.22.04.1
  Candidate: 2024071801~ubuntu0.22.04.1
  Version table:
     2024071801~ubuntu0.22.04.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
 *** 2023112702~ubuntu0.22.04.1 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2021011101 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
root@j-sru:~# apt install dns-root-data
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be upgraded:
  dns-root-data
1 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
Need to get 6132 B of archives.
After this operation, 2048 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 dns-root-data 
all 2024071801~ubuntu0.22.04.1 [6132 B]
Fetched 6132 B in 0s (83.6 kB/s)      
(Reading database ... 34147 files and directories currently installed.)
Preparing to unpack .../dns-root-data_2024071801~ubuntu0.22.04.1_all.deb ...
Unpacking dns-root-data (2024071801~ubuntu0.22.04.1) over 
(2023112702~ubuntu0.22.04.1) ...
Setting up dns-root-data (2024071801~ubuntu0.22.04.1) ...
Scanning processes...                                                           
                                                                                
                               

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this
host.


$ systemctl restart named; sleep 20s; systemctl status named --lines 80 
--no-pager
...
As expected in the log we see:
Feb 10 09:47:03 j-sru named[2624]: all zones loaded
Feb 10 09:47:03 j-sru named[2624]: running

old
root@j-sru:~# cat /usr/share/dns/root.key 
.       86400   IN      DNSKEY  257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
 ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ]
root@j-sru:~# cat /usr/share/dns/root.ds
. IN DS 20326 8 2 
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d

new
root@j-sru:~# cat /usr/share/dns/root.key
. IN DNSKEY 257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
 ; keytag 20326
. IN DNSKEY 257 3 8 
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
 ; keytag 38696
root@j-sru:~# cat /usr/share/dns/root.ds
. IN DS 20326 8 2 
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
. IN DS 38696 8 2 
683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16


They keys are the same, the metadata changed slightly and all is
uppercase now by the generation being modernized and unified. But that
was expected and should be ok, hence the verification below - and it
also matches 1:1 to the upstream keys as distributed by icann.

root@j-sru:~# grep $(xmlstarlet sel -t -v 
"//KeyDigest[@id='Kmyv6jo']/PublicKey" root-anchors.xml) /usr/share/dns/root.key
. IN DNSKEY 257 3 8 
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
 ; keytag 38696
root@j-sru:~# grep $(xmlstarlet sel -t -v "//KeyDigest[@id='Kmyv6jo']/Digest" 
root-anchors.xml) /usr/share/dns/root.ds
. IN DS 38696 8 2 
683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
root@j-sru:~# grep $(xmlstarlet sel -t -v 
"//KeyDigest[@id='Klajeyz']/PublicKey" root-anchors.xml) /usr/share/dns/root.key
. IN DNSKEY 257 3 8 
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
 ; keytag 20326
root@j-sru:~# grep $(xmlstarlet sel -t -v "//KeyDigest[@id='Klajeyz']/Digest" 
root-anchors.xml) /usr/share/dns/root.ds
. IN DS 20326 8 2 
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D


So the package delivered keys and signature matches the current upstream 
provided data, containing the old and new key as it should.
Thereby setting it verified.

** Tags removed: verification-done-focal verification-needed-jammy
** Tags added: verification-done-jammy verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2086795

Title:
  New DNSSEC root trust anchor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/2086795/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs