[Pkg-dns-devel] Bug#855484: unbound: Missing trust anchor for root KSK-2017 key
Robert Edmonds
edmonds at debian.org
Sun Feb 19 01:43:47 UTC 2017
Package: unbound
Version: 1.6.0-2
Severity: serious
Justification: package maintainer's opinion
Hi,
I'd like to update the DNSSEC root trust anchor embedded in the
unbound-anchor utility. This is used to bootstrap DNSSEC trust for the
unbound DNS server. The current trust anchor is for the 2010 DNSSEC KSK,
which is scheduled to be replaced this year and retired in 2018
(https://www.icann.org/resources/pages/ksk-rollover).
Upstream svn commit r4000 (post-1.6.0), attached for review, updates
unbound-anchor to include the additional trust anchor.
An unbound server that was offline during the KSK rollover can still
obtain the 2017 KSK securely by using unbound-anchor's out-of-band
fallback mechanism based on HTTP and S/MIME, but by including the trust
anchor for the 2017 key in the unbound package that ships with stretch
we can avoid having this rarely used code path exercised.
--
Robert Edmonds
edmonds at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Include-root-trust-anchor-id-20326-in-unbound-anchor.patch
Type: text/x-diff
Size: 1370 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170218/c6368501/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-dns-devel/attachments/20170218/c6368501/attachment.sig>
More information about the pkg-dns-devel
mailing list