Focal verification:
root@f-sru:~# apt policy dns-root-data
dns-root-data:
Installed: 2023112702~ubuntu0.20.04.1
Candidate: 2024071801~ubuntu0.20.04.1
Version table:
2024071801~ubuntu0.20.04.1 500
500 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 Packages
*** 2023112702~ubuntu0.20.04.1 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
100 /var/lib/dpkg/status
2019052802 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
root@f-sru:~# apt install dns-root-data
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
dns-root-data
1 upgraded, 0 newly installed, 0 to remove and 13 not upgraded.
Need to get 6128 B of archives.
After this operation, 2048 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-proposed/main amd64 dns-root-data
all 2024071801~ubuntu0.20.04.1 [6128 B]
Fetched 6128 B in 0s (64.1 kB/s)
(Reading database ... 32423 files and directories currently installed.)
Preparing to unpack .../dns-root-data_2024071801~ubuntu0.20.04.1_all.deb ...
Unpacking dns-root-data (2024071801~ubuntu0.20.04.1) over
(2023112702~ubuntu0.20.04.1) ...
Setting up dns-root-data (2024071801~ubuntu0.20.04.1) ...
$ systemctl restart named; sleep 20s; systemctl status named --lines 80
--no-pager
...
As expected in the log we see:
Feb 10 09:47:01 f-sru named[3767]: all zones loaded
Feb 10 09:47:01 f-sru named[3767]: running
old
root@f-sru:~# cat /usr/share/dns/root.key
. 86400 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
root@f-sru:~# cat /usr/share/dns/root.ds
. IN DS 20326 8 2
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
new
root@f-sru:~# cat /usr/share/dns/root.key
. IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; keytag 20326
. IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
; keytag 38696
root@f-sru:~# cat /usr/share/dns/root.ds
. IN DS 20326 8 2
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
. IN DS 38696 8 2
683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
They keys are the same, the metadata changed slightly and all is
uppercase now by the generation being modernized and unified. But that
was expected and should be ok, hence the verification below - and it
also matches 1:1 to the upstream keys as distributed by icann.
root@f-sru:~# grep $(xmlstarlet sel -t -v
"//KeyDigest[@id='Kmyv6jo']/PublicKey" root-anchors.xml) /usr/share/dns/root.key
. IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
; keytag 38696
root@f-sru:~# grep $(xmlstarlet sel -t -v "//KeyDigest[@id='Kmyv6jo']/Digest"
root-anchors.xml) /usr/share/dns/root.ds
. IN DS 38696 8 2
683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
root@f-sru:~# grep $(xmlstarlet sel -t -v
"//KeyDigest[@id='Klajeyz']/PublicKey" root-anchors.xml) /usr/share/dns/root.key
. IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; keytag 20326
root@f-sru:~# grep $(xmlstarlet sel -t -v "//KeyDigest[@id='Klajeyz']/Digest"
root-anchors.xml) /usr/share/dns/root.ds
. IN DS 20326 8 2
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
So the package delivered keys and signature matches the current upstream
provided data, containing the old and new key as it should.
Thereby setting it verified.
** Tags removed: verification-needed-focal
** Tags added: verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2086795
Title:
New DNSSEC root trust anchor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/2086795/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
