From: Florian Obser Subject: add KSK2024 trust-anchor to unwind To: tech Date: Thu, 08 Aug 2024 17:27:59 -0700 I've c&p the trust anchor out of the unbound pre-release and verified it against https://www.iana.org/reports/2024/root-ksk-2024.pdf While here switch the 2017 trust-anchor to the DS version for symmetry reasons. It's functionally equivalent. It can be verified against https://www.iana.org/reports/2017/root-ksk-2017.pdf Alternatively, since the 2017 KSK is in use one can delete /var/db/unwind.key, restart unwind(8) and observe that it fetches and validates a new trust anchor and stores it in /var/db/unwind.key, but this only works for the 2017 KSK. OK? diff --git frontend.c frontend.c index ccbc977eb73..91a9ff1f008 100644 --- frontend.c +++ frontend.c @@ -260,6 +260,7 @@ frontend(int debug, int verbose) TAILQ_INIT(&new_trust_anchors); add_new_ta(&trust_anchors, KSK2017); + add_new_ta(&trust_anchors, KSK2024); event_dispatch(); diff --git unwind.h unwind.h index f21baf72970..43e4dbb8ea4 100644 --- unwind.h +++ unwind.h @@ -40,7 +40,8 @@ #define OPT_NOACTION 0x00000008 #define ROOT_DNSKEY_TTL 172800 /* TTL from authority */ -#define KSK2017 ". 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=" +#define KSK2017 ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" +#define KSK2024 ". IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16" #define IMSG_DATA_SIZE(imsg) ((imsg).hdr.len - IMSG_HEADER_SIZE) -- In my defence, I have been left unsupervised.