From 3954d4ec30bb4708d50efee1368611e7f73b8c4b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 19 Mar 2019 10:32:42 +1100 Subject: [PATCH] Remove revoked root DNSKEY from bind.keys. (cherry picked from commit 0e805b58e8d05d951eac9cf6afa90416bd223ec0) --- CHANGES | 2 ++ bind.keys | 36 ++++++++------------------- bind.keys.h | 72 ++++++++++++++++------------------------------------- 3 files changed, 35 insertions(+), 75 deletions(-) diff --git a/CHANGES b/CHANGES index f2f5d91a1c..74a8d0c5ba 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945] + 5187. [test] Set time zone before running any tests in dnstap_test. [GL #940] diff --git a/bind.keys b/bind.keys index c468c972e6..c176f18a2c 100644 --- a/bind.keys +++ b/bind.keys @@ -5,7 +5,7 @@ # recognized or used by named. # # To use the built-in root key, set "dnssec-validation auto;" in the -# named.conf options or else leave "dnssec-validation" unset. If +# named.conf options, or else leave "dnssec-validation" unset. If # "dnssec-validation" is set to "yes", then the keys in this file are # ignored; keys will need to be explicitly configured in named.conf for # validation to work. "auto" is the default setting, unless named is @@ -14,34 +14,20 @@ # # This file is NOT expected to be user-configured. # -# These keys are current as of May 2018. If any key fails to -# initialize correctly, it may have expired. In that event you should -# replace this file with a current version. The latest version of -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# Servers being set up for the first time can use the contents of this file +# as initializing keys; thereafter, the keys in the managed key database +# will be trusted and maintained automatically. # -# See https://data.iana.org/root-anchors/root-anchors.xml -# for current trust anchor information for the root zone. +# These keys are current as of Mar 2019. If any key fails to initialize +# correctly, it may have expired. In that event you should replace this +# file with a current version. The latest version of bind.keys can always +# be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust +# anchor information for the root zone. managed-keys { - # This key (19036) is to be phased out starting in 2017. It will - # remain in the root zone for some time after its successor key - # has been added. It will remain this file until it is removed from - # the root zone. - . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; - # This key (20326) was published in the root zone in 2017. - # Servers which were already using the old key (19036) should - # roll seamlessly to this new one via RFC 5011 rollover. Servers - # being set up for the first time can use the contents of this - # file as initializing keys; thereafter, the keys in the - # managed key database will be trusted and maintained - # automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF diff --git a/bind.keys.h b/bind.keys.h index 8e94793a95..ec2d0e9233 100644 --- a/bind.keys.h +++ b/bind.keys.h @@ -8,7 +8,7 @@ # recognized or used by named.\n\ #\n\ # To use the built-in root key, set \"dnssec-validation auto;\" in the\n\ -# named.conf options or else leave \"dnssec-validation\" unset. If\n\ +# named.conf options, or else leave \"dnssec-validation\" unset. If\n\ # \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\ # ignored; keys will need to be explicitly configured in named.conf for\n\ # validation to work. \"auto\" is the default setting, unless named is\n\ @@ -17,34 +17,20 @@ #\n\ # This file is NOT expected to be user-configured.\n\ #\n\ -# These keys are current as of May 2018. If any key fails to\n\ -# initialize correctly, it may have expired. In that event you should\n\ -# replace this file with a current version. The latest version of\n\ -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ +# Servers being set up for the first time can use the contents of this file\n\ +# as initializing keys; thereafter, the keys in the managed key database\n\ +# will be trusted and maintained automatically.\n\ #\n\ -# See https://data.iana.org/root-anchors/root-anchors.xml\n\ -# for current trust anchor information for the root zone.\n\ +# These keys are current as of Mar 2019. If any key fails to initialize\n\ +# correctly, it may have expired. In that event you should replace this\n\ +# file with a current version. The latest version of bind.keys can always\n\ +# be obtained from ISC at https://www.isc.org/bind-keys.\n\ +#\n\ +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ +# anchor information for the root zone.\n\ \n\ trusted-keys {\n\ - # This key (19036) is to be phased out starting in 2017. It will\n\ - # remain in the root zone for some time after its successor key\n\ - # has been added. It will remain this file until it is removed from\n\ - # the root zone.\n\ - . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ - QxA+Uk1ihz0=\";\n\ -\n\ # This key (20326) was published in the root zone in 2017.\n\ - # Servers which were already using the old key (19036) should\n\ - # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\ - # being set up for the first time can use the contents of this\n\ - # file as initializing keys; thereafter, the keys in the\n\ - # managed key database will be trusted and maintained\n\ - # automatically.\n\ . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\ @@ -63,7 +49,7 @@ trusted-keys {\n\ # recognized or used by named.\n\ #\n\ # To use the built-in root key, set \"dnssec-validation auto;\" in the\n\ -# named.conf options or else leave \"dnssec-validation\" unset. If\n\ +# named.conf options, or else leave \"dnssec-validation\" unset. If\n\ # \"dnssec-validation\" is set to \"yes\", then the keys in this file are\n\ # ignored; keys will need to be explicitly configured in named.conf for\n\ # validation to work. \"auto\" is the default setting, unless named is\n\ @@ -72,34 +58,20 @@ trusted-keys {\n\ #\n\ # This file is NOT expected to be user-configured.\n\ #\n\ -# These keys are current as of May 2018. If any key fails to\n\ -# initialize correctly, it may have expired. In that event you should\n\ -# replace this file with a current version. The latest version of\n\ -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ +# Servers being set up for the first time can use the contents of this file\n\ +# as initializing keys; thereafter, the keys in the managed key database\n\ +# will be trusted and maintained automatically.\n\ #\n\ -# See https://data.iana.org/root-anchors/root-anchors.xml\n\ -# for current trust anchor information for the root zone.\n\ +# These keys are current as of Mar 2019. If any key fails to initialize\n\ +# correctly, it may have expired. In that event you should replace this\n\ +# file with a current version. The latest version of bind.keys can always\n\ +# be obtained from ISC at https://www.isc.org/bind-keys.\n\ +#\n\ +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ +# anchor information for the root zone.\n\ \n\ managed-keys {\n\ - # This key (19036) is to be phased out starting in 2017. It will\n\ - # remain in the root zone for some time after its successor key\n\ - # has been added. It will remain this file until it is removed from\n\ - # the root zone.\n\ - . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ - QxA+Uk1ihz0=\";\n\ -\n\ # This key (20326) was published in the root zone in 2017.\n\ - # Servers which were already using the old key (19036) should\n\ - # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\ - # being set up for the first time can use the contents of this\n\ - # file as initializing keys; thereafter, the keys in the\n\ - # managed key database will be trusted and maintained\n\ - # automatically.\n\ . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\