From d5c57db1ae822664cb3d0db2c2b8ab2c6bf4381c Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 19 Mar 2019 10:32:42 +1100 Subject: [PATCH] Remove revoked root DNSKEY from bind.keys. (cherry picked from commit 0e805b58e8d05d951eac9cf6afa90416bd223ec0) (cherry picked from commit 3954d4ec30bb4708d50efee1368611e7f73b8c4b) --- CHANGES | 2 ++ bind.keys | 34 ++++++++------------------- bind.keys.h | 68 ++++++++++++++++------------------------------------- 3 files changed, 32 insertions(+), 72 deletions(-) diff --git a/CHANGES b/CHANGES index 92e19c6d4d..aaa8e8dff0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +5189. [cleanup] Remove revoked root DNSKEY from bind.keys. [GL #945] + 5187. [test] Set time zone before running any tests in dnstap_test. [GL #940] diff --git a/bind.keys b/bind.keys index 5e5a32ba9c..8ef2875ad5 100644 --- a/bind.keys +++ b/bind.keys @@ -12,34 +12,20 @@ # # This file is NOT expected to be user-configured. # -# These keys are current as of October 2017. If any key fails to -# initialize correctly, it may have expired. In that event you should -# replace this file with a current version. The latest version of -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. +# Servers being set up for the first time can use the contents of this file +# as initializing keys; thereafter, the keys in the managed key database +# will be trusted and maintained automatically. # -# See https://data.iana.org/root-anchors/root-anchors.xml -# for current trust anchor information for the root zone. +# These keys are current as of Mar 2019. If any key fails to initialize +# correctly, it may have expired. In that event you should replace this +# file with a current version. The latest version of bind.keys can always +# be obtained from ISC at https://www.isc.org/bind-keys. +# +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust +# anchor information for the root zone. managed-keys { - # This key (19036) is to be phased out starting in 2017. It will - # remain in the root zone for some time after its successor key - # has been added. It will remain this file until it is removed from - # the root zone. - . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq - QxA+Uk1ihz0="; - # This key (20326) was published in the root zone in 2017. - # Servers which were already using the old key (19036) should - # roll seamlessly to this new one via RFC 5011 rollover. Servers - # being set up for the first time can use the contents of this - # file as initializing keys; thereafter, the keys in the - # managed key database will be trusted and maintained - # automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF diff --git a/bind.keys.h b/bind.keys.h index 746dfa289d..d2cbad9ec1 100644 --- a/bind.keys.h +++ b/bind.keys.h @@ -15,34 +15,20 @@ #\n\ # This file is NOT expected to be user-configured.\n\ #\n\ -# These keys are current as of October 2017. If any key fails to\n\ -# initialize correctly, it may have expired. In that event you should\n\ -# replace this file with a current version. The latest version of\n\ -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ +# Servers being set up for the first time can use the contents of this file\n\ +# as initializing keys; thereafter, the keys in the managed key database\n\ +# will be trusted and maintained automatically.\n\ #\n\ -# See https://data.iana.org/root-anchors/root-anchors.xml\n\ -# for current trust anchor information for the root zone.\n\ +# These keys are current as of Mar 2019. If any key fails to initialize\n\ +# correctly, it may have expired. In that event you should replace this\n\ +# file with a current version. The latest version of bind.keys can always\n\ +# be obtained from ISC at https://www.isc.org/bind-keys.\n\ +#\n\ +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ +# anchor information for the root zone.\n\ \n\ trusted-keys {\n\ - # This key (19036) is to be phased out starting in 2017. It will\n\ - # remain in the root zone for some time after its successor key\n\ - # has been added. It will remain this file until it is removed from\n\ - # the root zone.\n\ - . 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ - QxA+Uk1ihz0=\";\n\ -\n\ # This key (20326) was published in the root zone in 2017.\n\ - # Servers which were already using the old key (19036) should\n\ - # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\ - # being set up for the first time can use the contents of this\n\ - # file as initializing keys; thereafter, the keys in the\n\ - # managed key database will be trusted and maintained\n\ - # automatically.\n\ . 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\ @@ -68,34 +54,20 @@ trusted-keys {\n\ #\n\ # This file is NOT expected to be user-configured.\n\ #\n\ -# These keys are current as of October 2017. If any key fails to\n\ -# initialize correctly, it may have expired. In that event you should\n\ -# replace this file with a current version. The latest version of\n\ -# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\ +# Servers being set up for the first time can use the contents of this file\n\ +# as initializing keys; thereafter, the keys in the managed key database\n\ +# will be trusted and maintained automatically.\n\ #\n\ -# See https://data.iana.org/root-anchors/root-anchors.xml\n\ -# for current trust anchor information for the root zone.\n\ +# These keys are current as of Mar 2019. If any key fails to initialize\n\ +# correctly, it may have expired. In that event you should replace this\n\ +# file with a current version. The latest version of bind.keys can always\n\ +# be obtained from ISC at https://www.isc.org/bind-keys.\n\ +#\n\ +# See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\ +# anchor information for the root zone.\n\ \n\ managed-keys {\n\ - # This key (19036) is to be phased out starting in 2017. It will\n\ - # remain in the root zone for some time after its successor key\n\ - # has been added. It will remain this file until it is removed from\n\ - # the root zone.\n\ - . initial-key 257 3 8 \"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF\n\ - FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX\n\ - bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD\n\ - X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz\n\ - W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS\n\ - Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\ - QxA+Uk1ihz0=\";\n\ -\n\ # This key (20326) was published in the root zone in 2017.\n\ - # Servers which were already using the old key (19036) should\n\ - # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\ - # being set up for the first time can use the contents of this\n\ - # file as initializing keys; thereafter, the keys in the\n\ - # managed key database will be trusted and maintained\n\ - # automatically.\n\ . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\ +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\ ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\