Version in base suite: 2024041801~deb12u1 Base version: dns-root-data_2024041801~deb12u1 Target version: dns-root-data_2024071801~deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/dns-root-data/dns-root-data_2024041801~deb12u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/d/dns-root-data/dns-root-data_2024071801~deb12u1.dsc /srv/release.debian.org/tmp/qrBv4TCBwe/dns-root-data-2024071801~deb12u1/Kjqmt7v.crt |binary /srv/release.debian.org/tmp/qrBv4TCBwe/dns-root-data-2024071801~deb12u1/Kjqmt7v.csr |binary /srv/release.debian.org/tmp/qrBv4TCBwe/dns-root-data-2024071801~deb12u1/root-anchors.p7s |binary dns-root-data-2024071801~deb12u1/debian/README.Debian | 45 +++ dns-root-data-2024071801~deb12u1/debian/README.source | 9 dns-root-data-2024071801~deb12u1/debian/changelog | 33 ++ dns-root-data-2024071801~deb12u1/debian/clean | 2 dns-root-data-2024071801~deb12u1/debian/control | 8 dns-root-data-2024071801~deb12u1/debian/copyright | 3 dns-root-data-2024071801~deb12u1/debian/dns-root-data.install | 4 dns-root-data-2024071801~deb12u1/debian/rules | 35 -- dns-root-data-2024071801~deb12u1/parse-root-anchors | 145 ++++++++++ dns-root-data-2024071801~deb12u1/parse-root-anchors.sh | 31 -- dns-root-data-2024071801~deb12u1/root-anchors.xml | 38 +- dns-root-data-2024071801~deb12u1/root.key | 1 dns-root-data-2024071801~deb12u1/update-root-anchors.sh | 20 + dns-root-data-2024071801~deb12u1/update-root-hints.sh | 21 + 17 files changed, 307 insertions(+), 88 deletions(-) Binary files /srv/release.debian.org/tmp/Do7E9l4cgS/dns-root-data-2024041801~deb12u1/Kjqmt7v.crt and /srv/release.debian.org/tmp/qrBv4TCBwe/dns-root-data-2024071801~deb12u1/Kjqmt7v.crt differ Binary files /srv/release.debian.org/tmp/Do7E9l4cgS/dns-root-data-2024041801~deb12u1/Kjqmt7v.csr and /srv/release.debian.org/tmp/qrBv4TCBwe/dns-root-data-2024071801~deb12u1/Kjqmt7v.csr differ diff -Nru dns-root-data-2024041801~deb12u1/debian/README.Debian dns-root-data-2024071801~deb12u1/debian/README.Debian --- dns-root-data-2024041801~deb12u1/debian/README.Debian 1970-01-01 00:00:00.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/README.Debian 2025-01-08 00:08:28.000000000 +0000 @@ -0,0 +1,45 @@ +# Purpose + +This package contains some data needed by recursive DNS resolvers to use +the global DNS infrastructure: +- root.hints: the IP addresses of the root name servers +- root.key: the root zone DNSSEC trust anchor(s) as DNSKEY records +- root.ds: the root zone DNSSEC trust anchor(s) as DS records + +# Freshness + +While this data should be kept current, and this package will do so on +supported Debian releases, it is usually not critical if it is not. + +Resolvers continuously refresh the root name servers list, ensuring +functionality as long as some IPs in root.hints remain valid. Given that +these IPs change rarely, the possibility of all becoming outdated is not +a major concern. +As long a resolver was initially installed when one of the trust anchors +in this package was valid, it can securely fetch future trust anchors +using the RFC 5011 mechanism. + +# Upgrades + +The package will be backported as needed to supported Debian releases +and becomes automatically available with other system updates. + +The current binary package can also be manually installed on unsupported +Debian releases, since it does not depend on any other package. + +# The source package + +The dns-root-data source package contains: +- the root zone DNSSEC trust anchors (root-anchors.xml), downloaded from + https://data.iana.org/root-anchors/ and verified using an ICANN public + key (icannbundle.pem) +- the root hints file (root.hints), downloaded from + https://www.iana.org/domains/root/files and verified using a Verisign + public key (registry-admin.key) + +When the binary package is built, these files are verified again and +then the DS and DNSKEY resource records for the root zone Key Signing +Key are extracted from root-anchors.xml. + +The data in the source package can be updated by the maintainer by using +the get_orig_source target of debian/rules. diff -Nru dns-root-data-2024041801~deb12u1/debian/README.source dns-root-data-2024071801~deb12u1/debian/README.source --- dns-root-data-2024041801~deb12u1/debian/README.source 2024-05-21 07:09:54.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/README.source 1970-01-01 00:00:00.000000000 +0000 @@ -1,9 +0,0 @@ -dns-root-data for Debian ------------------------- - - The source files for this package were created by downloading IANA - DNSSEC root-anchor data from https://data.iana.org/root-anchors/ and - zone hints from https://www.iana.org/domains/root/files . Please - also take a look at get_orig_source in debian/rules. - - -- Daniel Kahn Gillmor , Wed, 31 Jan 2018 22:40:30 -0500 diff -Nru dns-root-data-2024041801~deb12u1/debian/changelog dns-root-data-2024071801~deb12u1/debian/changelog --- dns-root-data-2024041801~deb12u1/debian/changelog 2024-05-30 12:02:49.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/changelog 2025-01-08 00:09:06.000000000 +0000 @@ -1,3 +1,36 @@ +dns-root-data (2024071801~deb12u1) bookworm; urgency=medium + + * Rebuild for bookworm. + + -- Marco d'Itri Wed, 08 Jan 2025 01:09:06 +0100 + +dns-root-data (2024071801) unstable; urgency=medium + + * Actually add the DNSKEY record for KSK-2024, which was not distributed + in release 2024071800 because it is not yet published in the root zone. + * Replace the parser of the root-anchors.xml file with a new one which + follows RFC 7958bis and will output all valid and not expired DS and + DNSKEY records, no matter if they are currently published in the root + zone or not. + * Document the package in README.Debian. (Closes: #995890) + + -- Marco d'Itri Sun, 17 Nov 2024 21:57:17 +0100 + +dns-root-data (2024071800) unstable; urgency=medium + + * Update root-anchors.xml and its signature to add the new KSK-2024. + (Closes: #1076995) + + -- Marco d'Itri Thu, 07 Nov 2024 22:51:09 +0100 + +dns-root-data (2024041802) unstable; urgency=medium + + * Stop installing root.hints.sig, since no package actually uses the file. + * Stop the package from FTBFS in the periods between when root-anchors.xml + is updated and the new root KSK is actually published in the DNS. + + -- Marco d'Itri Sun, 18 Aug 2024 02:18:32 +0200 + dns-root-data (2024041801~deb12u1) bookworm; urgency=medium * Rebuild for bookworm. (Closes: #1072035) diff -Nru dns-root-data-2024041801~deb12u1/debian/clean dns-root-data-2024071801~deb12u1/debian/clean --- dns-root-data-2024041801~deb12u1/debian/clean 1970-01-01 00:00:00.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/clean 2025-01-08 00:08:28.000000000 +0000 @@ -0,0 +1,2 @@ +root.ds +root.key diff -Nru dns-root-data-2024041801~deb12u1/debian/control dns-root-data-2024071801~deb12u1/debian/control --- dns-root-data-2024041801~deb12u1/debian/control 2024-05-21 14:25:42.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/control 2025-01-08 00:08:28.000000000 +0000 @@ -10,10 +10,12 @@ Build-Depends: debhelper-compat (= 13), gpgv, - ldnsutils, + libdatetime-format-rfc3339-perl, + libdatetime-perl, + libnet-dns-perl, + libpath-tiny-perl, + libxml-libxml-perl, openssl, - unbound-anchor, - xml2, Standards-Version: 4.7.0.0 Homepage: https://data.iana.org/root-anchors/ Vcs-Git: https://salsa.debian.org/dns-team/dns-root-data.git diff -Nru dns-root-data-2024041801~deb12u1/debian/copyright dns-root-data-2024071801~deb12u1/debian/copyright --- dns-root-data-2024041801~deb12u1/debian/copyright 2024-05-21 07:09:54.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/copyright 2025-01-08 00:08:28.000000000 +0000 @@ -3,7 +3,7 @@ Source: https://www.iana.org/domains/root/files Files: * -Copyright: Copyright (c) 2010-2023 Internet Corporation For Assigned Names and Numbers +Copyright: not asserted License: ICANN-Public ICANN asserts no property rights to any of the IANA registries or public keys we maintain. You are free to redistribute the IANA @@ -15,6 +15,7 @@ Files: debian/* Copyright: 2014 Ondřej Surý , 2018-2023 Daniel Kahn Gillmor + 2024 Marco d'Itri License: Expat License: Expat diff -Nru dns-root-data-2024041801~deb12u1/debian/dns-root-data.install dns-root-data-2024071801~deb12u1/debian/dns-root-data.install --- dns-root-data-2024041801~deb12u1/debian/dns-root-data.install 2024-05-21 07:09:54.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/dns-root-data.install 2025-01-08 00:08:28.000000000 +0000 @@ -1 +1,3 @@ -root.* /usr/share/dns/ +root.hints /usr/share/dns/ +root.key /usr/share/dns/ +root.ds /usr/share/dns/ diff -Nru dns-root-data-2024041801~deb12u1/debian/rules dns-root-data-2024071801~deb12u1/debian/rules --- dns-root-data-2024041801~deb12u1/debian/rules 2024-05-21 07:09:54.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/debian/rules 2025-01-08 00:08:28.000000000 +0000 @@ -7,38 +7,17 @@ %: dh $@ -override_dh_auto_configure override_dh_auto_install: - : - override_dh_auto_build: # Verify root-anchors.xml using OpenSSL - openssl smime -verify -noverify -inform DER -in root-anchors.p7s -content root-anchors.xml + openssl smime -verify -CAfile icannbundle.pem -inform DER -in root-anchors.p7s -content root-anchors.xml -out /dev/null # Verify root.hints - gpgv --keyring $(CURDIR)/registry-admin.key $(CURDIR)/root.hints.sig $(CURDIR)/root.hints - - # Create key from validated root-anchors.xml - ./parse-root-anchors.sh < root-anchors.xml | sort -k 4 -n > root-anchors.ds - - # Create key from downloaded root.key - /usr/bin/ldns-key2ds -n -2 root.key | cut --fields=1,3- --output-delimiter=' ' | sort -k 4 -n > root.ds + gpgv --keyring `pwd`/registry-admin.key root.hints.sig root.hints - # Compare the DS from root.key and from root-anchors.xml - diff -u root-anchors.ds root.ds - -override_dh_auto_clean: - rm -f root-anchors.ds root.ds + # Create the DNS and DNSKEY records from the validated root-anchors.xml + ./parse-root-anchors get_orig_source: - # Create root.key and root.hints using wget and unbound-anchor - # This needs Internet connection - /usr/sbin/unbound-anchor \ - -a $(CURDIR)/root-auto.key \ - -c $(CURDIR)/icannbundle.pem || echo "Check the root-auto.key" - < $(CURDIR)/root-auto.key grep -Ev "^($$|;)" | sed -e 's/ ;;count=.*//' > $(CURDIR)/root.key - rm $(CURDIR)/root-auto.key - wget -O $(CURDIR)/root.hints "https://www.internic.net/domain/named.root" - wget -O $(CURDIR)/root.hints.sig "https://www.internic.net/domain/named.root.sig" - # get root-anchors.xml and root-anchors.p7s as well - wget -O $(CURDIR)/root-anchors.xml 'https://data.iana.org/root-anchors/root-anchors.xml' - wget -O $(CURDIR)/root-anchors.p7s 'https://data.iana.org/root-anchors/root-anchors.p7s' + ./update-root-hints.sh + ./update-root-anchors.sh + diff -Nru dns-root-data-2024041801~deb12u1/parse-root-anchors dns-root-data-2024071801~deb12u1/parse-root-anchors --- dns-root-data-2024041801~deb12u1/parse-root-anchors 1970-01-01 00:00:00.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/parse-root-anchors 2025-01-08 00:08:28.000000000 +0000 @@ -0,0 +1,145 @@ +#!/usr/bin/perl +# vim: shiftwidth=4 tabstop=4 +# +# This program implements the procedure defined in RFC 7958bis to update the +# root zone DNSSEC trust anchors. +# +# https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7958bis/ + +use v5.32; +use warnings; + +use XML::LibXML; +use DateTime; +use DateTime::Format::RFC3339; +use Net::DNS; +use Path::Tiny; + +############################################################################## +sub parse_root_anchors { + my ($file) = @_; + + my $now = DateTime->now; + my $format = DateTime::Format::RFC3339->new; + + my $dom = XML::LibXML->load_xml(location => $file); + + # check the basic XML structure of the file + my ($zone) = $dom->findnodes('/TrustAnchor/Zone') + or die " node not found!\n"; + my $zone_value = $zone->to_literal or die; + die "These hints are not for the root zone!\n" if not $zone_value eq '.'; + + # parse each anchor + my (@dnskey, @ds); + foreach my $key ($dom->findnodes('/TrustAnchor/KeyDigest')) { + my $id = $key->{id} or die 'No key id'; + my $tag = $key->findvalue('./KeyTag') or die 'No key tag'; + + my $valid_until = $key->{validUntil}; + if (defined $valid_until) { + $valid_until = $format->parse_datetime($valid_until); + + if (DateTime->compare($valid_until, $now) <= 0) { + say "Key $tag ignored: it expired on $valid_until."; + next; + } + } + my $valid_from = $key->{validFrom}; + if (defined $valid_from) { + $valid_from = $format->parse_datetime($valid_from); + say "Key $tag is or will be valid from $valid_from."; + } else { + say "Key $tag has no initial validity date defined."; + } + + my $new_ds = Net::DNS::RR->new( + owner => '.', + type => 'DS', + keytag => $tag, + algorithm => $key->findvalue('./Algorithm'), + digtype => $key->findvalue('./DigestType'), + digest => $key->findvalue('./Digest') + ); + push(@ds, $new_ds); + + my $publickey = $key->findvalue('./PublicKey') or next; + my $new_dnskey = Net::DNS::RR->new( + owner => '.', + type => 'DNSKEY', + keytag => $tag, + algorithm => $key->findvalue('./Algorithm'), + flags => $key->findvalue('./Flags'), + key => $publickey, + ); + compare_key_ds($new_dnskey, $new_ds); + push(@dnskey, $new_dnskey); + } + + return { + dnskey => \@dnskey, + ds => \@ds, + }; +} + +############################################################################## +# Make sure that the DS record matches the DNSKEY record, as required by +# RFC 7958bis section 4.1.2. +sub compare_key_ds { + my ($key, $ds) = @_; + + # create a DS record computed from the key in the DNSKEY record + my $dsk = Net::DNS::RR::DS->create( + $key, + digtype => $ds->digtype, + ); + + # and check they it matches the anchor DS record + if ($ds->algorithm ne $dsk->algorithm or $ds->digest ne $dsk->digest) { + say 'The DS record in the root anchors file:'; + $ds->print; + say "\ndoes not match the DS record computed from the key in the" + . " root anchors file:"; + $dsk->print; + die; + } + + return 1; +} + +############################################################################## +sub write_ds { + my ($file, $data) = @_; + + my $out = path($file); + my @lines = map { + join(' ', $_->{owner}->string, $_->class, $_->type, + $_->keytag, $_->algorithm, $_->digtype, uc $_->digest) + . "\n" + } @$data; + $out->spew(@lines); + return; +} + +sub write_dnskey { + my ($file, $data) = @_; + + my $out = path($file); + my @lines = map { + join(' ', $_->{owner}->string, $_->class, $_->type, + $_->flags, $_->protocol, $_->algorithm, $_->key) + . " ; keytag " . $_->keytag . "\n" + } @$data; + $out->spew(@lines); + return; +} + +############################################################################## +my $data = parse_root_anchors('root-anchors.xml'); + +die 'No DNSKEY records found' if not @{ $data->{dnskey} }; +die 'No DS records found' if not @{ $data->{ds} }; + +write_ds('root.ds', $data->{ds}); +write_dnskey('root.key', $data->{dnskey}); + diff -Nru dns-root-data-2024041801~deb12u1/parse-root-anchors.sh dns-root-data-2024071801~deb12u1/parse-root-anchors.sh --- dns-root-data-2024041801~deb12u1/parse-root-anchors.sh 2024-05-21 07:09:54.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/parse-root-anchors.sh 1970-01-01 00:00:00.000000000 +0000 @@ -1,31 +0,0 @@ -#!/bin/sh - -unset ZONE KTAG ALGO DTYPE DIGEST EXPIRES BEGINS - -export IFS="=" -xml2 | while read -r KEY VAL; do - case "$KEY" in - "/TrustAnchor/Zone") ZONE="$VAL";; - "/TrustAnchor/KeyDigest/KeyTag") KTAG="$VAL";; - "/TrustAnchor/KeyDigest/Algorithm") ALGO="$VAL";; - "/TrustAnchor/KeyDigest/DigestType") DTYPE="$VAL";; - "/TrustAnchor/KeyDigest/@validUntil") EXPIRES="$VAL";; - "/TrustAnchor/KeyDigest/@validFrom") BEGINS="$VAL";; - "/TrustAnchor/KeyDigest/Digest") - DIGEST="$(echo "$VAL" | tr "[:upper:]" "[:lower:]")" - if [ -z "$ZONE" ] || [ -z "$KTAG" ] || [ -z "$ALGO" ] || [ -z "$DTYPE" ]; then - echo "Missing some KeyDigest parameter" - exit 1 - fi - if [ -n "$EXPIRES" ] && [ "$(date +%s -d "$EXPIRES")" -lt "$(date +%s)" ]; then - printf 'Digest %s expired on %s\n' "$DIGEST" "$EXPIRES" >&2 - elif [ -n "$BEGINS" ] && [ "$(date +%s -d "$BEGINS")" -gt "$(date +%s)" ]; then - printf 'Digest %s will not be valid until %s\n' "$DIGEST" "$BEGINS" >&2 - else - printf "%s IN DS %s %s %s %s\n" "$ZONE" "$KTAG" "$ALGO" "$DTYPE" "$DIGEST" - fi - unset KTAG ALGO DTYPE DIGEST EXPIRES BEGINS - ;; - esac -done -exit 0 Binary files /srv/release.debian.org/tmp/Do7E9l4cgS/dns-root-data-2024041801~deb12u1/root-anchors.p7s and /srv/release.debian.org/tmp/qrBv4TCBwe/dns-root-data-2024071801~deb12u1/root-anchors.p7s differ diff -Nru dns-root-data-2024041801~deb12u1/root-anchors.xml dns-root-data-2024071801~deb12u1/root-anchors.xml --- dns-root-data-2024041801~deb12u1/root-anchors.xml 2018-12-19 22:03:21.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/root-anchors.xml 2025-01-08 00:08:28.000000000 +0000 @@ -1,16 +1,26 @@ - -. - -19036 -8 -2 -49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 - - -20326 -8 -2 -E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D - + + . + + 19036 + 8 + 2 + 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 + + + 20326 + 8 + 2 + E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D + AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= + 257 + + + 38696 + 8 + 2 + 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16 + AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= + 257 + diff -Nru dns-root-data-2024041801~deb12u1/root.key dns-root-data-2024071801~deb12u1/root.key --- dns-root-data-2024041801~deb12u1/root.key 2024-05-21 07:34:15.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/root.key 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] diff -Nru dns-root-data-2024041801~deb12u1/update-root-anchors.sh dns-root-data-2024071801~deb12u1/update-root-anchors.sh --- dns-root-data-2024041801~deb12u1/update-root-anchors.sh 1970-01-01 00:00:00.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/update-root-anchors.sh 2025-01-08 00:08:28.000000000 +0000 @@ -0,0 +1,20 @@ +#!/bin/sh -e +# This data is documented at . + +wget -O root-anchors.xml.NEW https://data.iana.org/root-anchors/root-anchors.xml + +if diff -u root-anchors.xml root-anchors.xml.NEW; then + echo "root-anchors.xml has NOT changed." + rm root-anchors.xml.NEW + exit +fi + +echo "root-anchors.xml has changed." + +wget -O root-anchors.p7s.NEW https://data.iana.org/root-anchors/root-anchors.p7s + +openssl smime -verify -CAfile icannbundle.pem -inform DER -in root-anchors.p7s -content root-anchors.xml -out /dev/null + +mv root-anchors.xml.NEW root-anchors.xml +mv root-anchors.p7s.NEW root-anchors.p7s + diff -Nru dns-root-data-2024041801~deb12u1/update-root-hints.sh dns-root-data-2024071801~deb12u1/update-root-hints.sh --- dns-root-data-2024041801~deb12u1/update-root-hints.sh 1970-01-01 00:00:00.000000000 +0000 +++ dns-root-data-2024071801~deb12u1/update-root-hints.sh 2025-01-08 00:08:28.000000000 +0000 @@ -0,0 +1,21 @@ +#!/bin/sh -e +# This data is documented at . + +wget -O root.hints.NEW https://www.internic.net/domain/named.root + +# ignore the update date, which changes daily +if diff -u --ignore-matching-lines='^;[[:space:]]*\(last update\|related version of root zone\):' root.hints root.hints.NEW; then + echo "root.hints has NOT changed." + rm root.hints.NEW + exit +fi + +echo "root.hints has changed." + +wget -O root.hints.sig.NEW https://www.internic.net/domain/named.root.sig + +gpgv --keyring $(pwd)/registry-admin.key root.hints.sig.NEW root.hints.NEW + +mv root.hints.NEW root.hints +mv root.hints.sig.NEW root.hints.sig +