Accepting request 613074 from home:dstoecker

Hello,

some changes to unbound. Add the upcomming trust anchors and make the trust files readable for everyone (I need this for especially for opendkim, which uses unbound library and needs these files).

The changes are similar to the ones done for other distributions. Debian also patches the source code to add new keys. I don't like this much, so I only changed the configuration files.

This change should have been done last year already. While properly setup systems will follow the rollover without interaction, a new installation of the package should also work AFTER the rollover and this requires the new keys to be in the package already.

When accepting the submit request please verify the added key data against the original sources!

- add upcomming key rollover trust anchor
- make trust anchor files world readable - these files are open
  knowledge and will be used by other software packages

OBS-URL: https://build.opensuse.org/request/show/613074
OBS-URL: https://build.opensuse.org/package/show/server:dns/unbound?expand=0&rev=78

dlv.isc.org.key

@@ -1,2 +1,3 @@
-; https://secure.isc.org/ops/dlv/dlv.isc.org.key
+; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
+; or call:   dig dlv.isc.org. dnskey|grep "257 "
 dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh

libunbound-devel-mini.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libunbound-devel-mini
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed

root.anchor

@@ -1 +1,2 @@
+.	172800	IN	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
 .	98799	IN	DNSKEY	257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}

root.key

@@ -1,6 +1,8 @@
+; https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
 ; // The root key in bind format. This can be read by most tools, including
 ; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
+; // first key 19036 (2010), second key 20326 (key-rollover 2017/2018)
 trusted-keys {
 "." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // key id = 19036
-
+"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
 };

unbound.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon May 28 16:44:10 UTC 2018 - opensuse@dstoecker.de
+
+- add upcomming key rollover trust anchor
+- make trust anchor files world readable - these files are open
+  knowledge and will be used by other software packages
+
 -------------------------------------------------------------------
 Thu May  3 16:38:07 UTC 2018 - michael@stroeder.com
 

unbound.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package unbound
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -420,10 +420,10 @@ systemd-tmpfiles --create  %{_tmpfilesdir}/unbound.conf  || :
 %config %{_sysconfdir}/%{name}/icannbundle.pem
 %config %{_sysconfdir}/cron.d/unbound-anchor
 %dir %attr(-,unbound,unbound) %{_sharedstatedir}/%{name}
-%attr(0640,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
-%attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
+%attr(0644,unbound,unbound) %config(noreplace) %{_sharedstatedir}/%{name}/root.key
+%attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/dlv.isc.org.key
 # just left for backwards compat with user changed unbound.conf files - format is different!
-%attr(0640,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/root.key
+%attr(0644,root,unbound)    %config(noreplace) %{_sysconfdir}/%{name}/root.key
 %{_mandir}/man8/unbound-anchor.8*
 %doc doc/README doc/LICENSE