artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6d453ff)
Add 2024 root zone trust-anchor, it is expected to be used in 2026.
authorflorian <florian@openbsd.org>
Fri, 9 Aug 2024 19:43:26 +0000 (19:43 +0000)
committerflorian <florian@openbsd.org>
Fri, 9 Aug 2024 19:43:26 +0000 (19:43 +0000)
The trust-anchor was copied from the upcoming unbound(8) release and
verified against https://www.iana.org/reports/2024/root-ksk-2024.pdf

While here switch the 2017 trust-anchor from DNSKEY to DS to use the
same record type as for the 2024 trust-anchor. They are functionally
equivalent. It was verified against
https://www.iana.org/reports/2017/root-ksk-2017.pdf
As well as with run-time testing, i.e. unwind would still perform
DNSSEC validation.

checked pdfs & OK phessler

sbin/unwind/frontend.c patch | blob | history
sbin/unwind/unwind.h patch | blob | history

diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c
index ccbc977..b10f9e3 100644 (file)
--- a/sbin/unwind/frontend.c
+++ b/sbin/unwind/frontend.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: frontend.c,v 1.81 2024/05/21 05:00:48 jsg Exp $       */
+/*     $OpenBSD: frontend.c,v 1.82 2024/08/09 19:43:26 florian Exp $   */
 
 /*
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -260,6 +260,7 @@ frontend(int debug, int verbose)
        TAILQ_INIT(&new_trust_anchors);
 
        add_new_ta(&trust_anchors, KSK2017);
+       add_new_ta(&trust_anchors, KSK2024);
 
        event_dispatch();
 
diff --git a/sbin/unwind/unwind.h b/sbin/unwind/unwind.h
index f21baf7..c5e29f8 100644 (file)
--- a/sbin/unwind/unwind.h
+++ b/sbin/unwind/unwind.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: unwind.h,v 1.56 2021/08/31 20:18:03 kn Exp $  */
+/*     $OpenBSD: unwind.h,v 1.57 2024/08/09 19:43:26 florian Exp $     */
 
 /*
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
@@ -40,7 +40,8 @@
 #define OPT_NOACTION   0x00000008
 
 #define        ROOT_DNSKEY_TTL 172800  /* TTL from authority */
-#define        KSK2017         ".      172800  IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="
+#define        KSK2017         ".      IN      DS      20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D"
+#define        KSK2024         ".      IN      DS      38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16"
 
 #define        IMSG_DATA_SIZE(imsg)    ((imsg).hdr.len - IMSG_HEADER_SIZE)
 
OpenBSD src
by Ahmet Artu Yildirim