summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/README.source9
-rw-r--r--debian/changelog149
-rw-r--r--debian/control33
-rw-r--r--debian/copyright39
-rw-r--r--debian/dns-root-data.dirs1
-rw-r--r--debian/dns-root-data.install1
-rw-r--r--debian/gbp.conf2
-rwxr-xr-xdebian/rules44
-rw-r--r--debian/source/format1
-rwxr-xr-xdebian/tests/baseline8
-rw-r--r--debian/tests/control9
11 files changed, 296 insertions, 0 deletions
diff --git a/debian/README.source b/debian/README.source
new file mode 100644
index 0000000..7f406c8
--- /dev/null
+++ b/debian/README.source
@@ -0,0 +1,9 @@
+dns-root-data for Debian
+------------------------
+
+ The source files for this package were created by downloading IANA
+ DNSSEC root-anchor data from https://data.iana.org/root-anchors/ and
+ zone hints from https://www.iana.org/domains/root/files . Please
+ also take a look at get_orig_source in debian/rules.
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Wed, 31 Jan 2018 22:40:30 -0500
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..8ae9a28
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,149 @@
+dns-root-data (2023010101) unstable; urgency=medium
+
+ * merge current root hints and signatures (same contents as before)
+ * d/copyright: bump to 2023
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Jan 2023 10:00:11 -0500
+
+dns-root-data (2022120101) unstable; urgency=medium
+
+ * Updated upstream root data (same contents as before)
+ * d/copyright: update for 2022
+ * Standards-Version: bump to 4.6.1 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 20 Dec 2022 18:51:44 -0500
+
+dns-root-data (2021011101) unstable; urgency=medium
+
+ * updated upstream root data (same contents as before)
+ * wrap-and-sort -ast
+ * improve autopkgtest (Closes: #979840)
+ * move to dh 13
+ * Standards-Version: bump to 4.5.1 (no changes needed)
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Feb 2021 20:54:19 -0500
+
+dns-root-data (2019052802) unstable; urgency=medium
+
+ * use https for data.iana.org
+ * update root data to 2019052802
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 May 2019 13:05:03 -0400
+
+dns-root-data (2019031302) unstable; urgency=medium
+
+ * cryptographically verify root.hints
+ * get_orig_source: refresh root-anchors.{xml,p7s} as well
+ * update root data to 2019031302
+ * standards-version: bump to 4.3.0 (no changes needed)
+ * parse-root-anchors.sh: account for validity windows
+ * check: deliberately skip the TTL generated by ldns-key2ds
+ * dns-root-data is Multi-Arch: foreign
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 23 Mar 2019 15:33:17 +0100
+
+dns-root-data (2018091102) unstable; urgency=medium
+
+ * new upstream version of root.hints, 2018091102
+ * use DEP-14 branches
+ * Standards-Version: 4.2.1 (no changes needed)
+ * add Rules-Requires-Root: no
+ * add baseline autopkgtest
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 15 Oct 2018 13:45:59 -0400
+
+dns-root-data (2018013001) unstable; urgency=medium
+
+ * new upstream version of root.hints, 2018013001
+ * use wrap-and-sort -ast
+ * added myself to uploaders
+ * d/control: use dns-root-data@packages.debian.org as Maintainer
+ * Standards-Version: bump to 4.1.3 (no changes needed)
+ * d/control: move Vcs-* to salsa.debian.org
+ * move to debhelper 11
+ * d/rules: clean up get_orig_source
+ * sort generated .ds files by key tag
+ * d/rules: trim trailing whitespace
+ * d/copyright: Format: use https
+ * d/copyright: add my own copyright to debian/*
+ * d/copyright: name upstream data grant "ICANN-Public"
+ * d/copyright: Source: use https:
+ * update README.source to cover the different origins of the data
+ * Update order of root.key to follow output of unbound-anchor
+
+ -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 Jan 2018 23:02:05 -0500
+
+dns-root-data (2017072601) unstable; urgency=medium
+
+ * Update root.hints to 2017072601 version
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 23 Aug 2017 08:45:33 +0200
+
+dns-root-data (2017071401) unstable; urgency=medium
+
+ * Update the root.hints to 2017060102 version
+ * Change the state of KSK-2017 to VALID
+
+ -- Ondřej Surý <ondrej@debian.org> Fri, 14 Jul 2017 14:12:52 +0200
+
+dns-root-data (2017041102) unstable; urgency=high
+
+ [ Robert Edmonds ]
+ * Change DS creation to omit TTL and use spaces instead of tabs
+ (Closes: #864016)
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 06 Jun 2017 12:54:28 +0200
+
+dns-root-data (2017041101) unstable; urgency=medium
+
+ * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252)
+ * Update to 2017041101 version of root zone
+ * Remove timestamps from root.key to make the build reproducible
+ * Shell syntax cleanup
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 29 May 2017 14:05:37 +0200
+
+dns-root-data (2017020200) unstable; urgency=medium
+
+ * Update to 2016102001 version of the root.zone
+ * Add KSK-2017 (valid from 2017-02-02) into root.key file
+ * Reduce number of IANA files as they don't exist at upstream anymore
+ * draft-icann-dnssec-trust-anchor is now RFC 7958
+ * Update all other IANA DNSSEC files to 2017-02-02 versions
+ * Strip the GPG verification as IANA doesn't provide the GPG signatures
+ anymore
+ * Rewrite DS creation check to xml2 and ldnsutils, as neither xmllint
+ nor bind9utils handle multiple DNSKEY in one file correctly
+
+ -- Ondřej Surý <ondrej@debian.org> Wed, 22 Mar 2017 09:06:08 +0100
+
+dns-root-data (2015052300+h+1) unstable; urgency=medium
+
+ * Update root.hints to 2015052300 version
+ * Move the package under Debian DNS Maintainers umbrella
+ * Implement the H.ROOT-SERVERS.NET IP addresses changes
+ that's scheduled for December 1st, but operational now
+
+ -- Ondřej Surý <ondrej@debian.org> Tue, 01 Sep 2015 13:32:02 +0200
+
+dns-root-data (2014060201+2) unstable; urgency=medium
+
+ * Use full path for dnssec-dsfromkey (Closes: #760103)
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 04 Sep 2014 13:12:40 +0200
+
+dns-root-data (2014060201+1) unstable; urgency=low
+
+ * Add Robert Edmonds as co-maintainer
+ * Don't install root zone (it changes too often) and install static data
+ into /usr/share/dns/
+ * Also install dnssec-trust-anchor documentation into the package
+ * Strip unbound-anchor metadata from root.key when fetching new root.key
+
+ -- Ondřej Surý <ondrej@debian.org> Mon, 30 Jun 2014 10:42:07 +0200
+
+dns-root-data (2014060201) unstable; urgency=low
+
+ * Initial release (Closes: #752745)
+
+ -- Ondřej Surý <ondrej@debian.org> Thu, 26 Jun 2014 10:46:45 +0200
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..74d35d1
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,33 @@
+Source: dns-root-data
+Section: misc
+Priority: optional
+Maintainer: dns-root-data packagers <dns-root-data@packages.debian.org>
+Uploaders:
+ Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
+ Ondřej Surý <ondrej@debian.org>,
+ Robert Edmonds <edmonds@debian.org>,
+Build-Depends:
+ debhelper-compat (= 13),
+ gpgv,
+ ldnsutils,
+ openssl,
+ unbound-anchor,
+ xml2,
+Standards-Version: 4.6.1
+Homepage: https://data.iana.org/root-anchors/
+Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git
+Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data
+Rules-Requires-Root: no
+
+Package: dns-root-data
+Architecture: all
+Multi-Arch: foreign
+Depends:
+ ${misc:Depends},
+Description: DNS root data including root zone and DNSSEC key
+ This package contains various root zone related data as published
+ by IANA to be used by various DNS software as a common source
+ of DNS root zone data, namely:
+ .
+ * Root Hints (root.hints)
+ * Root Trust Anchors (root.key, root.ds)
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..d389c35
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,39 @@
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: IANA Root Zone Management
+Source: https://www.iana.org/domains/root/files
+
+Files: *
+Copyright: Copyright (c) 2010-2023 Internet Corporation For Assigned Names and Numbers
+License: ICANN-Public
+ ICANN asserts no property rights to any of the IANA registries or
+ public keys we maintain. You are free to redistribute the IANA
+ registry files, the root zone file and the root public keys.
+ .
+ As a courtesy we'd ask any such redistribution make it clear it is a
+ mirrored copy, and indicate the original source URL.
+
+Files: debian/*
+Copyright: 2014 Ondřej Surý <ondrej@debian.org>,
+ 2018-2023 Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+License: Expat
+
+License: Expat
+ Permission is hereby granted, free of charge, to any person obtaining
+ a copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+ .
+ The above copyright notice and this permission notice shall be
+ included in all copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+ NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+ BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+ ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
diff --git a/debian/dns-root-data.dirs b/debian/dns-root-data.dirs
new file mode 100644
index 0000000..823d8be
--- /dev/null
+++ b/debian/dns-root-data.dirs
@@ -0,0 +1 @@
+/usr/share/dns/
diff --git a/debian/dns-root-data.install b/debian/dns-root-data.install
new file mode 100644
index 0000000..c086801
--- /dev/null
+++ b/debian/dns-root-data.install
@@ -0,0 +1 @@
+root.* /usr/share/dns/
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 0000000..8f53891
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/master
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..778a960
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,44 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+%:
+ dh $@
+
+override_dh_auto_configure override_dh_auto_install:
+ :
+
+override_dh_auto_build:
+ # Verify root-anchors.xml using OpenSSL
+ openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml
+
+ # Verify root.hints
+ gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints
+
+ # Create key from validated root-anchors.xml
+ ./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds
+
+ # Create key from downloaded root.key
+ /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds
+
+ # Compare the DS from root.key and from root-anchors.xml
+ diff -u root-anchors.ds root.ds
+
+override_dh_auto_clean:
+ rm -f root-anchors.ds root.ds
+
+get_orig_source:
+ # Create root.key and root.hints using wget and unbound-anchor
+ # This needs Internet connection
+ /usr/sbin/unbound-anchor \
+ -a $(CURDIR)/root-auto.key \
+ -c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key"
+ < $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key
+ rm $(CURDIR)/root-auto.key
+ wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root"
+ wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig"
+ # get root-anchors.xml and root-anchors.p7s as well
+ wget -O $(CURDIR)/root-anchors.xml 'https://data.iana.org/root-anchors/root-anchors.xml'
+ wget -O $(CURDIR)/root-anchors.p7s 'https://data.iana.org/root-anchors/root-anchors.p7s'
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/debian/tests/baseline b/debian/tests/baseline
new file mode 100755
index 0000000..cada3b5
--- /dev/null
+++ b/debian/tests/baseline
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -e
+
+systemctl start kresd@1.service
+kdig @127.0.0.1 -t ns . +dnssec > root-nameservers-result
+cat root-nameservers-result
+head -n1 < root-nameservers-result | grep -q '^;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: '
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..240f2ff
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,9 @@
+Tests: baseline
+Depends:
+ knot-dnsutils,
+ knot-resolver,
+ systemd,
+ @,
+Restrictions:
+ isolation-container,
+ needs-root,