From 1042786821fc1644445a2e36ebf44b9b54ca0add Mon Sep 17 00:00:00 2001 From: florian Date: Fri, 9 Aug 2024 19:43:26 +0000 Subject: [PATCH] Add 2024 root zone trust-anchor, it is expected to be used in 2026. The trust-anchor was copied from the upcoming unbound(8) release and verified against https://www.iana.org/reports/2024/root-ksk-2024.pdf While here switch the 2017 trust-anchor from DNSKEY to DS to use the same record type as for the 2024 trust-anchor. They are functionally equivalent. It was verified against https://www.iana.org/reports/2017/root-ksk-2017.pdf As well as with run-time testing, i.e. unwind would still perform DNSSEC validation. checked pdfs & OK phessler --- sbin/unwind/frontend.c | 3 ++- sbin/unwind/unwind.h | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/sbin/unwind/frontend.c b/sbin/unwind/frontend.c index ccbc977eb73..b10f9e384e5 100644 --- a/sbin/unwind/frontend.c +++ b/sbin/unwind/frontend.c @@ -1,4 +1,4 @@ -/* $OpenBSD: frontend.c,v 1.81 2024/05/21 05:00:48 jsg Exp $ */ +/* $OpenBSD: frontend.c,v 1.82 2024/08/09 19:43:26 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -260,6 +260,7 @@ frontend(int debug, int verbose) TAILQ_INIT(&new_trust_anchors); add_new_ta(&trust_anchors, KSK2017); + add_new_ta(&trust_anchors, KSK2024); event_dispatch(); diff --git a/sbin/unwind/unwind.h b/sbin/unwind/unwind.h index f21baf72970..c5e29f84430 100644 --- a/sbin/unwind/unwind.h +++ b/sbin/unwind/unwind.h @@ -1,4 +1,4 @@ -/* $OpenBSD: unwind.h,v 1.56 2021/08/31 20:18:03 kn Exp $ */ +/* $OpenBSD: unwind.h,v 1.57 2024/08/09 19:43:26 florian Exp $ */ /* * Copyright (c) 2018 Florian Obser @@ -40,7 +40,8 @@ #define OPT_NOACTION 0x00000008 #define ROOT_DNSKEY_TTL 172800 /* TTL from authority */ -#define KSK2017 ". 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" +#define KSK2017 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" +#define KSK2024 ". IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16" #define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE) -- 2.20.1