New DNSSEC root trust anchor
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| dns-root-data (Debian) |
Fix Released
|
Unknown
|
|||
| dns-root-data (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Focal |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
| Jammy |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
| Noble |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
| Oracular |
Fix Released
|
Undecided
|
Christian Ehrhardt | ||
| Plucky |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
[ Impact ]
* ICANN has generated the next DNSSEC root trust anchor, KSK-2024.
* ICANN's current plan is that it will be required around 2026-10-11
to 2027-01-11, but the sooner it's updated, the more unmaintained
installations will have it when the time comes.
* https:/
* On one hand it is "only" annoyance as e.g. named uses them as
hints and will on start check those hints and spam you
warnings to the logs.
* On the other hand this will break. Mid term the old addresses
will stop to work (by 2026/2027) that is the strong
deadline until this should be updated everywhere.
Read more about the general key rollover policy at
https:/
In regard to that Ubuntu falls into this category:
"Validators should keep this data up-to-date. Consider the following:
...
Software vendors often package and distribute up-to-date trust anchors through their regular software update mechanisms."
[ Test Plan ]
* In the past on updates the self check on hints of named
were quite useful here when it was updating to the new
keys (see bug 2045297). But this time we are not so very
late (which is good) and thereby that simple test does not
work yet (not so good).
* Still as a regression test against those keys being installed
a valid check is to install bind9 and check named's status with
the new vs the old keys.
$ apt install bind9;
$ systemctl restart named;
# takes a while to fully start
$ sleep 20s;
$ systemctl status named --lines 80 --no-pager
Run the above as-is and then again with the updated dns-root-data package.
Important should be:
1. no weird behavior with the updated keys, compare to the old
2. Named is happy, check for those two
status
Active: active (running)
log
Nov 25 09:06:54 f named[13139]: all zones loaded
Nov 25 09:06:54 f named[13139]: running
* This is adding the new KSK-2024 key, not removing the old. So one more
thing that is worth to check is that the key and delegation signer
contained in
$ cat /usr/share/
$ cat /usr/share/
are still present after the upgrade. There should be a new second key
now. Please mind that the new tooling does generate .ds better and
might switch characters to upper-case as usual in key display.
* Since the keys are not yet fully active, it won't do an auto-refresh
using them that we can check for. Instead we need to compare what
the update delivered against what IANA publishes. To do that you'd
compare that added second key. It was already generated the official
way at build time, so not doing the very same again. Instead let us
doing that in a few ways for extra confidence.
First:
Compare that second key with the post on [1]. Other than some
spacing due to the way displayed it should match that.
Second:
Compare he pkg content to the published data by IANA (see
https:/
# fetch published keys and signature
$ wget https:/
https:/
https:/
# verify against the signature
$ openssl smime -verify -CAfile icannbundle.pem -inform der -in root-anchors.p7s -content root-anchors.xml
<?xml version="1.0" encoding="UTF-8"?>
<TrustAnchor id="0C05FDD6-
<Zone>.</Zone>
<KeyDigest id="Kjqmt7v" validFrom=
</KeyDigest>
<KeyDigest id="Klajeyz" validFrom=
</KeyDigest>
<KeyDigest id="Kmyv6jo" validFrom=
</KeyDigest>
</TrustAnchor>
Verification successful
# Once trusted, check that the key, ds and tag matches what
# the new version of dns-root-data installed
$ apt install xmlstarlet
# ensure the new KSK-2024 key is in there
$ grep $(xmlstarlet sel -t -v "//KeyDigest[
. IN DNSKEY 257 3 8 AwEAAa96jeuknZl
$ grep $(xmlstarlet sel -t -v "//KeyDigest[
. IN DS 38696 8 2 683D2D0ACB8C9B7
# ensure we haven't lost the still active key
$ grep $(xmlstarlet sel -t -v "//KeyDigest[
. IN DNSKEY 257 3 8 AwEAAaz/
$ grep $(xmlstarlet sel -t -v "//KeyDigest[
. IN DS 20326 8 2 E06D44B80B8F1D3
Sorry for this a bit odd approach, but just re-doing what was already done at build seemed not to provide a cross-check of any meaningful way.
[1]: https:/
[ Where problems could occur ]
* This isn't code, purely a data file for services that need to know
about dns root servers. Thereby there is no code in the package itself
that would fail, but potential regressions would be in the dependencies.
Those are (and we can more consciously look out for those):
Reverse-Recommends
==================
* dnsmasq-base [amd64 arm64 armhf ppc64el s390x]
* dnsmasq-base-lua [amd64 arm64 armhf ppc64el s390x]
* ldnsutils [amd64 arm64 armhf ppc64el s390x]
* libbellesip2 [amd64 arm64 armhf ppc64el s390x]
* unbound
* unbound-host
Reverse-Depends
===============
* bind9
* dnsviz
* hash-slinger [amd64 arm64 armhf ppc64el s390x]
* knot-resolver [amd64 arm64 armhf]
* libgetdns10 [amd64 arm64 armhf ppc64el s390x]
* libreswan [amd64 arm64 armhf ppc64el s390x]
* opendkim [amd64 arm64 armhf ppc64el s390x]
* pdns-recursor [amd64 arm64 ppc64el s390x]
* At the same time I think we'd not need to do super advanced tests with
custom setups of each of them. Those that are reverse dependencies and
have tests (bind9, libreswan) will be ran by autopkgtest and given the
change, that should IMHO be sufficient.
* This is following one change in Debian which SRU thoughts might decide
otherwise about. root.hints.sig is no more shipped since 2024041802.
For noble/jammy/focal that means the file is no more around after the
update. I think this is fine as its use-case really is negelgible,
and having them consistent across releases has benefits for admins
and further maintenance. Yet If you disagree let me know and I can
see if we can re-generate that from the upstream content as well.
[ Other Info ]
* This is a native package and we are not doing anything special
The same landed in Debian
=> https:/
* This is structurally a similar update to the past bug 2045297
* Given that this is changing only data and that we likely need
to expect updating this more or less regularly I appreciate to
get all the packaging improvements Debian made like improving
readme and updating the generation of the key from the verified
XML at build time to the new rfc.
Hence I'd (just like Debian did) go for a backport of the most
recent version, over just picking the key content.
That is easier to review, easier to maintain, and as long
as there are no build issues better to ensure all active
releases are on the same state.
--- original report ---
ICANN has generated the next DNSSEC root trust anchor, KSK-2024.
ICANN's current plan is that it will be required around 2026-10-11 - 2027-01-11, but the sooner it's updated, the more unmaintained installations will have it when the time comes.
<https:/
<https:/
The corresponding Debian bug is <https:/
(Some software can automatically update the trust anchor, as long as it's running and connected to the Internet often enough; some cannot.)
Related branches
- git-ubuntu bot: Approve
- Miriam España Acebal (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 29 lines (+9/-1)2 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
- git-ubuntu bot: Approve
- Miriam España Acebal (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 29 lines (+9/-1)2 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
- git-ubuntu bot: Approve
- Miriam España Acebal (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 29 lines (+9/-1)2 files modifieddebian/changelog (+7/-0)
debian/control (+2/-1)
- git-ubuntu bot: Approve
- Miriam España Acebal (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 52 lines (+13/-3)3 files modifieddebian/changelog (+9/-0)
debian/control (+3/-2)
parse-root-anchors (+1/-1)
| Changed in dns-root-data (Debian): | |
| status: | Unknown → Fix Committed |
| Changed in dns-root-data (Debian): | |
| status: | Fix Committed → Fix Released |
| Changed in dns-root-data (Ubuntu): | |
| assignee: | nobody → Christian Ehrhardt (paelzer) |
| Changed in dns-root-data (Ubuntu Plucky): | |
| status: | New → Fix Released |
| Changed in dns-root-data (Ubuntu Oracular): | |
| status: | New → Fix Released |
| Changed in dns-root-data (Ubuntu Noble): | |
| status: | New → Triaged |
| Changed in dns-root-data (Ubuntu Focal): | |
| status: | New → Triaged |
| Changed in dns-root-data (Ubuntu Jammy): | |
| status: | New → Triaged |
| Changed in dns-root-data (Ubuntu Plucky): | |
| assignee: | Christian Ehrhardt (paelzer) → nobody |
| Changed in dns-root-data (Ubuntu Noble): | |
| assignee: | nobody → Christian Ehrhardt (paelzer) |
| Changed in dns-root-data (Ubuntu Oracular): | |
| status: | Fix Released → Triaged |
| Christian Ehrhardt (paelzer) wrote | #2 |
| description: | updated |
| Changed in dns-root-data (Ubuntu Focal): | |
| assignee: | nobody → Christian Ehrhardt (paelzer) |
| Changed in dns-root-data (Ubuntu Jammy): | |
| assignee: | nobody → Christian Ehrhardt (paelzer) |
| Changed in dns-root-data (Ubuntu Oracular): | |
| assignee: | nobody → Christian Ehrhardt (paelzer) |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| description: | updated |
| Christian Ehrhardt (paelzer) wrote | #3 |
| description: | updated |
| Christian Ehrhardt (paelzer) wrote | #4 |
| Christian Ehrhardt (paelzer) wrote | #5 |
| Changed in dns-root-data (Ubuntu Focal): | |
| status: | Triaged → Fix Committed |
| Changed in dns-root-data (Ubuntu Jammy): | |
| status: | Triaged → Fix Committed |
| Changed in dns-root-data (Ubuntu Noble): | |
| status: | Triaged → Fix Committed |
| Changed in dns-root-data (Ubuntu Oracular): | |
| status: | Triaged → Fix Committed |
| Changed in dns-root-data (Ubuntu Focal): | |
| status: | Fix Committed → In Progress |
| Changed in dns-root-data (Ubuntu Noble): | |
| status: | Fix Committed → In Progress |
| Changed in dns-root-data (Ubuntu Jammy): | |
| status: | Fix Committed → In Progress |
| Timo Aaltonen (tjaalton) wrote Please test proposed package | #6 |
| tags: | added: verification-needed verification-needed-oracular |
| Changed in dns-root-data (Ubuntu Noble): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed-noble |
| Timo Aaltonen (tjaalton) wrote | #7 |
| Changed in dns-root-data (Ubuntu Jammy): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed-jammy |
| Timo Aaltonen (tjaalton) wrote | #8 |
| Changed in dns-root-data (Ubuntu Focal): | |
| status: | In Progress → Fix Committed |
| tags: | added: verification-needed-focal |
| Timo Aaltonen (tjaalton) wrote | #9 |
| Ubuntu SRU Bot (ubuntu-sru-bot) wrote Autopkgtest regression report (dns-root-data/2024071801~ubuntu0.20.04.1) | #10 |
| Christian Ehrhardt (paelzer) wrote | #11 |
| Christian Ehrhardt (paelzer) wrote | #12 |
| Christian Ehrhardt (paelzer) wrote | #13 |
| tags: |
added: verification-done-focal removed: verification-needed-focal |
| Christian Ehrhardt (paelzer) wrote | #14 |
| tags: |
added: verification-done-jammy verification-needed-focal removed: verification-done-focal verification-needed-jammy |
| Christian Ehrhardt (paelzer) wrote | #15 |
| tags: |
added: verification-done-noble verification-needed-jammy removed: verification-done-jammy verification-needed-noble |
| Christian Ehrhardt (paelzer) wrote | #16 |
| tags: |
added: verification-done verification-done-oracular verification-needed-noble removed: verification-done-noble verification-needed verification-needed-oracular |
| Christian Ehrhardt (paelzer) wrote | #17 |
| Andreas Hasenack (ahasenack) wrote Update Released | #18 |
| Launchpad Janitor (janitor) wrote | #19 |
| Changed in dns-root-data (Ubuntu Oracular): | |
| status: | Fix Committed → Fix Released |
| Christian Ehrhardt (paelzer) wrote | #20 |
| tags: |
added: verification-done-focal verification-done-jammy verification-done-noble removed: verification-needed-focal verification-needed-jammy verification-needed-noble |
| Launchpad Janitor (janitor) wrote | #21 |
| Changed in dns-root-data (Ubuntu Noble): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote | #22 |
| Changed in dns-root-data (Ubuntu Jammy): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote | #23 |
| Changed in dns-root-data (Ubuntu Focal): | |
| status: | Fix Committed → Fix Released |
Hi Matt,
It looks like dns-root-data should automatically sync this into plucky from Debian once the fix is available in sid, but am guessing you feel it'll need SRUs to all supported releases? Looks like we've needed to do roll out updates for this package in the past (LP: #2045297)
Patch needed: https:/