Oracular verification:
root@o-sru:~# apt policy dns-root-data
dns-root-data:
Installed: 2024041801
Candidate: 2024041801
Version table:
2024071801~ubuntu0.24.10.1 100
100 http://archive.ubuntu.com/ubuntu oracular-proposed/main amd64
Packages
*** 2024041801 500
500 http://archive.ubuntu.com/ubuntu oracular/main amd64 Packages
100 /var/lib/dpkg/status
root@o-sru:~# apt install dns-root-data -t oracular-proposed
Upgrading:
dns-root-data
Summary:
Upgrading: 1, Installing: 0, Removing: 0, Not Upgrading: 4
Download size: 5928 B
Space needed: 2048 B / 5166 MB available
Get:1 http://archive.ubuntu.com/ubuntu oracular-proposed/main amd64
dns-root-data all 2024071801~ubuntu0.24.10.1 [5928 B]
Fetched 5928 B in 0s (28.7 kB/s)
(Reading database ... 38336 files and directories currently installed.)
Preparing to unpack .../dns-root-data_2024071801~ubuntu0.24.10.1_all.deb ...
Unpacking dns-root-data (2024071801~ubuntu0.24.10.1) over (2024041801) ...
Setting up dns-root-data (2024071801~ubuntu0.24.10.1) ...
Scanning processes...
Scanning candidates...
Restarting services...
Service restarts being deferred:
/etc/needrestart/restart.d/dbus.service
systemctl restart systemd-logind.service
systemctl restart unattended-upgrades.service
No containers need to be restarted.
User sessions running outdated binaries:
root @ user manager service: systemd[673]
No VM guests are running outdated hypervisor (qemu) binaries on this
host.
$ systemctl restart named; sleep 20s; systemctl status named --lines 80
--no-pager
...
As expected in the log we see:
Feb 10 09:47:07 o-sru named[3007]: all zones loaded
Feb 10 09:47:07 o-sru named[3007]: running
So things are still starting fine
Next we check the content if the old keys are still around.
old
root@o-sru:~# cat /usr/share/dns/root.key
. 86400 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
root@o-sru:~# cat /usr/share/dns/root.ds
. IN DS 20326 8 2
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
new
root@o-sru:~# cat /usr/share/dns/root.key
. IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; keytag 20326
. IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
; keytag 38696
root@o-sru:~# cat /usr/share/dns/root.ds
. IN DS 20326 8 2
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
. IN DS 38696 8 2
683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
They keys are the same, the metadata changed slightly and all is uppercase now
by the generation being modernized and unified. But that was expected and
should be ok, hence the verification below - and it also matches 1:1 to the
upstream keys as distributed by icann.
root@o-sru:~# grep $(xmlstarlet sel -t -v
"//KeyDigest[@id='Kmyv6jo']/PublicKey" root-anchors.xml) /usr/share/dns/root.key
. IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
; keytag 38696
root@o-sru:~# grep $(xmlstarlet sel -t -v "//KeyDigest[@id='Kmyv6jo']/Digest"
root-anchors.xml) /usr/share/dns/root.ds
. IN DS 38696 8 2
683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
root@o-sru:~# grep $(xmlstarlet sel -t -v
"//KeyDigest[@id='Klajeyz']/PublicKey" root-anchors.xml) /usr/share/dns/root.key
. IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
; keytag 20326
root@o-sru:~# grep $(xmlstarlet sel -t -v "//KeyDigest[@id='Klajeyz']/Digest"
root-anchors.xml) /usr/share/dns/root.ds
. IN DS 20326 8 2
E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
So the package delivered keys and signature matches the current upstream
provided data, containing the old and new key as it should.
Thereby setting it verified.
** Tags removed: verification-done-noble verification-needed
verification-needed-oracular
** Tags added: verification-done verification-done-oracular
verification-needed-noble
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2086795
Title:
New DNSSEC root trust anchor
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/2086795/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
