diff options
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 8 | ||||
-rw-r--r-- | debian/dns-root-data.install | 4 | ||||
-rwxr-xr-x | debian/rules | 38 |
3 files changed, 29 insertions, 21 deletions
diff --git a/debian/changelog b/debian/changelog index 98e603c..5c737ee 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +dns-root-data (2024041802) unstable; urgency=medium + + * Stop installing root.hints.sig, since no package actually uses the file. + * Stop the package from FTBFS in the periods between when root-anchors.xml + is updated and the new root KSK is actually published in the DNS. + + -- Marco d'Itri <md@linux.it> Sun, 18 Aug 2024 02:18:32 +0200 + dns-root-data (2024041801) unstable; urgency=medium * Add myself to the Uploaders field, as discussed with Ondřej. diff --git a/debian/dns-root-data.install b/debian/dns-root-data.install index c086801..0d84851 100644 --- a/debian/dns-root-data.install +++ b/debian/dns-root-data.install @@ -1 +1,3 @@ -root.* /usr/share/dns/ +root.hints /usr/share/dns/ +root.key /usr/share/dns/ +root.ds /usr/share/dns/ diff --git a/debian/rules b/debian/rules index 778a960..20a8e88 100755 --- a/debian/rules +++ b/debian/rules @@ -12,33 +12,31 @@ override_dh_auto_configure override_dh_auto_install: override_dh_auto_build: # Verify root-anchors.xml using OpenSSL - openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml + openssl smime -verify -content signed-file -CAfile icannbundle.pem -inform DER -in root-anchors.p7s -content root-anchors.xml -out /dev/null # Verify root.hints - gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints + gpgv --keyring `pwd`/registry-admin.key root.hints.sig root.hints - # Create key from validated root-anchors.xml + # Create the DS records from the validated root-anchors.xml ./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds - # Create key from downloaded root.key - /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds + # Create the DS records from the DNSKEY records + /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root-dns.ds - # Compare the DS from root.key and from root-anchors.xml - diff -u root-anchors.ds root.ds + # Keep the DS records from root-anchors.xml which had a corresponding + # DNSKEY record in the live DNS. + comm root-anchors.ds root-dns.ds -12 > root.ds override_dh_auto_clean: - rm -f root-anchors.ds root.ds + rm -f root-anchors.ds root-dns.ds root.ds get_orig_source: - # Create root.key and root.hints using wget and unbound-anchor - # This needs Internet connection - /usr/sbin/unbound-anchor \ - -a $(CURDIR)/root-auto.key \ - -c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key" - < $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key - rm $(CURDIR)/root-auto.key - wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root" - wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig" - # get root-anchors.xml and root-anchors.p7s as well - wget -O $(CURDIR)/root-anchors.xml 'https://data.iana.org/root-anchors/root-anchors.xml' - wget -O $(CURDIR)/root-anchors.p7s 'https://data.iana.org/root-anchors/root-anchors.p7s' + # Obtain the DNSKEY records from the live DNS + /usr/sbin/unbound-anchor -v \ + -a root-auto.key \ + || echo "Check the root-auto.key" + < root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > root.key + rm root-auto.key + ./update-root-hints.sh + ./update-root-anchors.sh + |