diff options
| -rw-r--r-- | debian/README.source | 9 | ||||
| -rw-r--r-- | debian/changelog | 149 | ||||
| -rw-r--r-- | debian/control | 33 | ||||
| -rw-r--r-- | debian/copyright | 39 | ||||
| -rw-r--r-- | debian/dns-root-data.dirs | 1 | ||||
| -rw-r--r-- | debian/dns-root-data.install | 1 | ||||
| -rw-r--r-- | debian/gbp.conf | 2 | ||||
| -rwxr-xr-x | debian/rules | 44 | ||||
| -rw-r--r-- | debian/source/format | 1 | ||||
| -rwxr-xr-x | debian/tests/baseline | 8 | ||||
| -rw-r--r-- | debian/tests/control | 9 |
11 files changed, 296 insertions, 0 deletions
diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 0000000..7f406c8 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,9 @@ +dns-root-data for Debian +------------------------ + + The source files for this package were created by downloading IANA + DNSSEC root-anchor data from https://data.iana.org/root-anchors/ and + zone hints from https://www.iana.org/domains/root/files . Please + also take a look at get_orig_source in debian/rules. + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Wed, 31 Jan 2018 22:40:30 -0500 diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..8ae9a28 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,149 @@ +dns-root-data (2023010101) unstable; urgency=medium + + * merge current root hints and signatures (same contents as before) + * d/copyright: bump to 2023 + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 11 Jan 2023 10:00:11 -0500 + +dns-root-data (2022120101) unstable; urgency=medium + + * Updated upstream root data (same contents as before) + * d/copyright: update for 2022 + * Standards-Version: bump to 4.6.1 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 20 Dec 2022 18:51:44 -0500 + +dns-root-data (2021011101) unstable; urgency=medium + + * updated upstream root data (same contents as before) + * wrap-and-sort -ast + * improve autopkgtest (Closes: #979840) + * move to dh 13 + * Standards-Version: bump to 4.5.1 (no changes needed) + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 12 Feb 2021 20:54:19 -0500 + +dns-root-data (2019052802) unstable; urgency=medium + + * use https for data.iana.org + * update root data to 2019052802 + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 29 May 2019 13:05:03 -0400 + +dns-root-data (2019031302) unstable; urgency=medium + + * cryptographically verify root.hints + * get_orig_source: refresh root-anchors.{xml,p7s} as well + * update root data to 2019031302 + * standards-version: bump to 4.3.0 (no changes needed) + * parse-root-anchors.sh: account for validity windows + * check: deliberately skip the TTL generated by ldns-key2ds + * dns-root-data is Multi-Arch: foreign + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 23 Mar 2019 15:33:17 +0100 + +dns-root-data (2018091102) unstable; urgency=medium + + * new upstream version of root.hints, 2018091102 + * use DEP-14 branches + * Standards-Version: 4.2.1 (no changes needed) + * add Rules-Requires-Root: no + * add baseline autopkgtest + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 15 Oct 2018 13:45:59 -0400 + +dns-root-data (2018013001) unstable; urgency=medium + + * new upstream version of root.hints, 2018013001 + * use wrap-and-sort -ast + * added myself to uploaders + * d/control: use dns-root-data@packages.debian.org as Maintainer + * Standards-Version: bump to 4.1.3 (no changes needed) + * d/control: move Vcs-* to salsa.debian.org + * move to debhelper 11 + * d/rules: clean up get_orig_source + * sort generated .ds files by key tag + * d/rules: trim trailing whitespace + * d/copyright: Format: use https + * d/copyright: add my own copyright to debian/* + * d/copyright: name upstream data grant "ICANN-Public" + * d/copyright: Source: use https: + * update README.source to cover the different origins of the data + * Update order of root.key to follow output of unbound-anchor + + -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 31 Jan 2018 23:02:05 -0500 + +dns-root-data (2017072601) unstable; urgency=medium + + * Update root.hints to 2017072601 version + + -- Ondřej Surý <ondrej@debian.org> Wed, 23 Aug 2017 08:45:33 +0200 + +dns-root-data (2017071401) unstable; urgency=medium + + * Update the root.hints to 2017060102 version + * Change the state of KSK-2017 to VALID + + -- Ondřej Surý <ondrej@debian.org> Fri, 14 Jul 2017 14:12:52 +0200 + +dns-root-data (2017041102) unstable; urgency=high + + [ Robert Edmonds ] + * Change DS creation to omit TTL and use spaces instead of tabs + (Closes: #864016) + + -- Ondřej Surý <ondrej@debian.org> Tue, 06 Jun 2017 12:54:28 +0200 + +dns-root-data (2017041101) unstable; urgency=medium + + * Fix parse-root-anchors.sh in non-dash shells (Closes: #862252) + * Update to 2017041101 version of root zone + * Remove timestamps from root.key to make the build reproducible + * Shell syntax cleanup + + -- Ondřej Surý <ondrej@debian.org> Mon, 29 May 2017 14:05:37 +0200 + +dns-root-data (2017020200) unstable; urgency=medium + + * Update to 2016102001 version of the root.zone + * Add KSK-2017 (valid from 2017-02-02) into root.key file + * Reduce number of IANA files as they don't exist at upstream anymore + * draft-icann-dnssec-trust-anchor is now RFC 7958 + * Update all other IANA DNSSEC files to 2017-02-02 versions + * Strip the GPG verification as IANA doesn't provide the GPG signatures + anymore + * Rewrite DS creation check to xml2 and ldnsutils, as neither xmllint + nor bind9utils handle multiple DNSKEY in one file correctly + + -- Ondřej Surý <ondrej@debian.org> Wed, 22 Mar 2017 09:06:08 +0100 + +dns-root-data (2015052300+h+1) unstable; urgency=medium + + * Update root.hints to 2015052300 version + * Move the package under Debian DNS Maintainers umbrella + * Implement the H.ROOT-SERVERS.NET IP addresses changes + that's scheduled for December 1st, but operational now + + -- Ondřej Surý <ondrej@debian.org> Tue, 01 Sep 2015 13:32:02 +0200 + +dns-root-data (2014060201+2) unstable; urgency=medium + + * Use full path for dnssec-dsfromkey (Closes: #760103) + + -- Ondřej Surý <ondrej@debian.org> Thu, 04 Sep 2014 13:12:40 +0200 + +dns-root-data (2014060201+1) unstable; urgency=low + + * Add Robert Edmonds as co-maintainer + * Don't install root zone (it changes too often) and install static data + into /usr/share/dns/ + * Also install dnssec-trust-anchor documentation into the package + * Strip unbound-anchor metadata from root.key when fetching new root.key + + -- Ondřej Surý <ondrej@debian.org> Mon, 30 Jun 2014 10:42:07 +0200 + +dns-root-data (2014060201) unstable; urgency=low + + * Initial release (Closes: #752745) + + -- Ondřej Surý <ondrej@debian.org> Thu, 26 Jun 2014 10:46:45 +0200 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..74d35d1 --- /dev/null +++ b/debian/control @@ -0,0 +1,33 @@ +Source: dns-root-data +Section: misc +Priority: optional +Maintainer: dns-root-data packagers <dns-root-data@packages.debian.org> +Uploaders: + Daniel Kahn Gillmor <dkg@fifthhorseman.net>, + Ondřej Surý <ondrej@debian.org>, + Robert Edmonds <edmonds@debian.org>, +Build-Depends: + debhelper-compat (= 13), + gpgv, + ldnsutils, + openssl, + unbound-anchor, + xml2, +Standards-Version: 4.6.1 +Homepage: https://data.iana.org/root-anchors/ +Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git +Vcs-Browser: https://salsa.debian.org/dns-team/dns-root-data +Rules-Requires-Root: no + +Package: dns-root-data +Architecture: all +Multi-Arch: foreign +Depends: + ${misc:Depends}, +Description: DNS root data including root zone and DNSSEC key + This package contains various root zone related data as published + by IANA to be used by various DNS software as a common source + of DNS root zone data, namely: + . + * Root Hints (root.hints) + * Root Trust Anchors (root.key, root.ds) diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..d389c35 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,39 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: IANA Root Zone Management +Source: https://www.iana.org/domains/root/files + +Files: * +Copyright: Copyright (c) 2010-2023 Internet Corporation For Assigned Names and Numbers +License: ICANN-Public + ICANN asserts no property rights to any of the IANA registries or + public keys we maintain. You are free to redistribute the IANA + registry files, the root zone file and the root public keys. + . + As a courtesy we'd ask any such redistribution make it clear it is a + mirrored copy, and indicate the original source URL. + +Files: debian/* +Copyright: 2014 Ondřej Surý <ondrej@debian.org>, + 2018-2023 Daniel Kahn Gillmor <dkg@fifthhorseman.net> +License: Expat + +License: Expat + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + . + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS + BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN + ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN + CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + SOFTWARE. diff --git a/debian/dns-root-data.dirs b/debian/dns-root-data.dirs new file mode 100644 index 0000000..823d8be --- /dev/null +++ b/debian/dns-root-data.dirs @@ -0,0 +1 @@ +/usr/share/dns/ diff --git a/debian/dns-root-data.install b/debian/dns-root-data.install new file mode 100644 index 0000000..c086801 --- /dev/null +++ b/debian/dns-root-data.install @@ -0,0 +1 @@ +root.* /usr/share/dns/ diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..8f53891 --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/master diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..778a960 --- /dev/null +++ b/debian/rules @@ -0,0 +1,44 @@ +#!/usr/bin/make -f +# -*- makefile -*- + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +%: + dh $@ + +override_dh_auto_configure override_dh_auto_install: + : + +override_dh_auto_build: + # Verify root-anchors.xml using OpenSSL + openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml + + # Verify root.hints + gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints + + # Create key from validated root-anchors.xml + ./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds + + # Create key from downloaded root.key + /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds + + # Compare the DS from root.key and from root-anchors.xml + diff -u root-anchors.ds root.ds + +override_dh_auto_clean: + rm -f root-anchors.ds root.ds + +get_orig_source: + # Create root.key and root.hints using wget and unbound-anchor + # This needs Internet connection + /usr/sbin/unbound-anchor \ + -a $(CURDIR)/root-auto.key \ + -c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key" + < $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key + rm $(CURDIR)/root-auto.key + wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root" + wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig" + # get root-anchors.xml and root-anchors.p7s as well + wget -O $(CURDIR)/root-anchors.xml 'https://data.iana.org/root-anchors/root-anchors.xml' + wget -O $(CURDIR)/root-anchors.p7s 'https://data.iana.org/root-anchors/root-anchors.p7s' diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..89ae9db --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (native) diff --git a/debian/tests/baseline b/debian/tests/baseline new file mode 100755 index 0000000..cada3b5 --- /dev/null +++ b/debian/tests/baseline @@ -0,0 +1,8 @@ +#!/bin/sh + +set -e + +systemctl start kresd@1.service +kdig @127.0.0.1 -t ns . +dnssec > root-nameservers-result +cat root-nameservers-result +head -n1 < root-nameservers-result | grep -q '^;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: ' diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..240f2ff --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,9 @@ +Tests: baseline +Depends: + knot-dnsutils, + knot-resolver, + systemd, + @, +Restrictions: + isolation-container, + needs-root, |