From a605d664bf99553967bc3e24cccd87d067aa666475cbbbc68cf6950842ea38f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michael=20Str=C3=B6der?= <michael@stroeder.com>
Date: Wed, 30 May 2018 14:17:02 +0000
Subject: [PATCH] Accepting request 613074 from home:dstoecker

Hello,

some changes to unbound. Add the upcomming trust anchors and make the trust files readable for everyone (I need this for especially for opendkim, which uses unbound library and needs these files).

The changes are similar to the ones done for other distributions. Debian also patches the source code to add new keys. I don't like this much, so I only changed the configuration files.

This change should have been done last year already. While properly setup systems will follow the rollover without interaction, a new installation of the package should also work AFTER the rollover and this requires the new keys to be in the package already.

When accepting the submit request please verify the added key data against the original sources!

- add upcomming key rollover trust anchor
- make trust anchor files world readable - these files are open
  knowledge and will be used by other software packages

OBS-URL: https://build.opensuse.org/request/show/613074
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=78
---
 dlv.isc.org.key            | 3 ++-
 libunbound-devel-mini.spec | 2 +-
 root.anchor                | 1 +
 root.key                   | 4 +++-
 unbound.changes            | 7 +++++++
 unbound.spec               | 8 ++++----
 6 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/dlv.isc.org.key b/dlv.isc.org.key
index ddac948..ab8ca9c 100644
--- a/dlv.isc.org.key
+++ b/dlv.isc.org.key
@@ -1,2 +1,3 @@
-; https://secure.isc.org/ops/dlv/dlv.isc.org.key
+; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
+; or call:   dig dlv.isc.org. dnskey|grep "257 "
 dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh
diff --git a/libunbound-devel-mini.spec b/libunbound-devel-mini.spec
index d7265d9..664741d 100644
--- a/libunbound-devel-mini.spec
+++ b/libunbound-devel-mini.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package libunbound-devel-mini
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
diff --git a/root.anchor b/root.anchor
index 98ca2ff..9b9cea2 100644
--- a/root.anchor
+++ b/root.anchor
@@ -1 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
 .	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
diff --git a/root.key b/root.key
index bcc56a8..0a54815 100644
--- a/root.key
+++ b/root.key
@@ -1,6 +1,8 @@
+; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
 ; // The root key in bind format. This can be read by most tools, including
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+; // first key 19036 (2010), second key 20326 (key-rollover 2017/2018)
 trusted-keys {
 "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
-
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 };
diff --git a/unbound.changes b/unbound.changes
index 0a6c48b..24014a8 100644
--- a/unbound.changes
+++ b/unbound.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon May 28 16:44:10 UTC 2018 - opensuse@dstoecker.de
+
+- add upcomming key rollover trust anchor
+- make trust anchor files world readable - these files are open
+  knowledge and will be used by other software packages
+
 -------------------------------------------------------------------
 Thu May  3 16:38:07 UTC 2018 - michael@stroeder.com
 
diff --git a/unbound.spec b/unbound.spec
index e8f505d..39d2355 100644
--- a/unbound.spec
+++ b/unbound.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package unbound
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -420,10 +420,10 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %config %{_sysconfdir}/%{name}/icannbundle.pem
 %config %{_sysconfdir}/cron.d/unbound-anchor
 %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
-%attr(0640,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
-%attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
+%attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %{_mandir}/man8/unbound-anchor.8*
 %doc doc/README doc/LICENSE