aboutsummaryrefslogtreecommitdiffstats
path: root/main/dnssec-root
diff options
context:
space:
mode:
authorSören Tempel <soeren+git@soeren-tempel.net>2018-10-19 13:23:16 +0200
committerSören Tempel <soeren+git@soeren-tempel.net>2018-10-19 14:08:14 +0200
commit01ae13d188cafc19691518a4814372729dec9877 (patch)
tree1130049d09fb67369cb5c67c7698226367300e54 /main/dnssec-root
parent40dd9e5e3fda4124dff6086653473717da29961d (diff)
downloadaports-master.tar.bz2
aports-master.tar.xz
main/dnssec-root: upgrade to 20170203HEADmaster
This includes the new root trust anchor. I consider this superior to the solution provided in [1] as it uses a python tool recommended by the iana [2] for fetching the root trust anchors. This tool also takes care of verifying their accuracy by checking the S/MIME signature. See also #9552. [1]: https://github.com/alpinelinux/aports/pull/5400 [2]: https://github.com/iana-org/get-trust-anchor
Diffstat (limited to 'main/dnssec-root')
-rw-r--r--main/dnssec-root/APKBUILD74
-rw-r--r--main/dnssec-root/anchors2ds.xsl32
2 files changed, 14 insertions, 92 deletions
diff --git a/main/dnssec-root/APKBUILD b/main/dnssec-root/APKBUILD
index 7da9cfdf69..0af5f66fe0 100644
--- a/main/dnssec-root/APKBUILD
+++ b/main/dnssec-root/APKBUILD
@@ -2,77 +2,31 @@
# Contributor: Natanael Copa <ncopa@alpinelinux.org>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dnssec-root
-pkgver=20100715
-pkgrel=3
+pkgver=20170203
+pkgrel=0
+_commit=67c11662510f5e2db6e6517228e80b794950c43f
pkgdesc="The DNSSEC root key(s)"
url="https://www.iana.org/dnssec/"
arch="noarch"
license="Public-Domain"
depends=""
-makedepends="libxslt gnupg bind-tools"
+makedepends="python3 openssl"
install=""
subpackages=""
-source="https://data.iana.org/root-anchors/old/icann.pgp
- https://data.iana.org/root-anchors/old/root-anchors.xml
- https://data.iana.org/root-anchors/old/root-anchors.asc
- anchors2ds.xsl
- "
-
-# Modeled after the following approach:
-# http://permalink.gmane.org/gmane.network.dns.unbound.user/1039
-
-_keyflags=257
-_hashalgo=-2
-
-_builddir="$srcdir"/$pkgname-$pkgver
-prepare() {
- cd "$srcdir"
- mkdir -p "$_builddir"
-
- (
- export GNUPGHOME="$_builddir"/gpg
- install -d -m 700 "$GNUPGHOME"
- gpg --import "$srcdir"/icann.pgp || exit 1
- gpg --verify "$srcdir"/root-anchors.asc \
- root-anchors.xml
- ) || return 1
-}
+options="net"
+source="$pkgname-$pkgver.tar.gz::https://github.com/iana-org/get-trust-anchor/archive/$_commit.tar.gz"
+builddir="$srcdir"/get-trust-anchor-$_commit
build() {
- cd "$_builddir"
- xsltproc -o root-anchors.txt "$srcdir"/anchors2ds.xsl "$srcdir"/root-anchors.xml
-
- dig DNSKEY . | grep -w $_keyflags > untrusted.key
- dnssec-dsfromkey $_hashalgo untrusted.key > untrusted.ds
-
- cut -d ' ' -f1-6 untrusted.ds | tr '\n' ' ' > root-anchors.tmp
- cut -d ' ' -f7- untrusted.ds | sed 's/ //g' | tr '\n' ' ' >> root-anchors.tmp
- printf '\n' >> root-anchors.tmp
-
- if ! cmp root-anchors.txt root-anchors.tmp; then
- echo "DNSKEY is invalid, don't continue." 1>&2
- exit 1
- fi
-
- awk '{print $1 "\t" $2 "\t" $3 "\t" $4 "\t" $5 " " $6 " " $7; for (i = 8; i <= NF; i++) printf $i}' \
- untrusted.key | tr '\n' ' ' > trusted-key.key
- printf "\n" >> trusted-key.key
+ cd "$builddir"
+ python3 get_trust_anchor.py
}
package() {
- install -Dm644 "$_builddir"/trusted-key.key \
- "$pkgdir"/usr/share/$pkgname/trusted-key.key || return 1
+ cd "$builddir"
+ cat ksk-as-dnskey.txt* > trusted-key.key
+ install -Dm644 trusted-key.key \
+ "$pkgdir"/usr/share/$pkgname/trusted-key.key
}
-md5sums="041a789ee96301623d3e66e4d52c8a0b icann.pgp
-69e6f9b67e92fbc952d488cc6f67198f root-anchors.xml
-a5612e1b84a75c29b642b9342286c511 root-anchors.asc
-1043c559c923279600a6da395b794597 anchors2ds.xsl"
-sha256sums="3e9beaaf9bbd1fe78a0d104230cbc04d544e833a2dc6b982992f74a4860a9ae8 icann.pgp
-dfb281b771dc854c18d1cff9d2eecaf184cf7a9668606aaa33e8f01bf4b4d8e4 root-anchors.xml
-5bffcac53f810c5fb1e1baf543e2de2f10ec99d7f7cddb5f1e47b1e58cf34cfa root-anchors.asc
-2cc436e29e5bfd39c055390045a4c14dfae517ebdad79002983756a508a15e8f anchors2ds.xsl"
-sha512sums="5fba8334850f2ae753f4f8a30d1e6c62abc341ece2dc83df4bc0f6db2b91ae68942c0d2a38eab3d33b5b91640cd1cf0970777225c15d5f961884c00077d539a2 icann.pgp
-bca506c852bc83aa9d04ed0b52bef6d0baec745e466292273d52f49fd73cec73db4c6d55a9921fe086c7edc618f3ab21dc03146b6d617644495b3926e262e572 root-anchors.xml
-e9c86b897d7e8edb979cba4bebe353b7c7f21b4061cd6f571c8671b02e73c2ea0b78a980169fa7d40987b9e962a0f1ba17dbb392b5ec6ad14fedce65a139c913 root-anchors.asc
-5b496d8f7fcb6a1241d889221f539b68485fea356feec13a94329b0807768c543c828c2821567f59d6a56931a6b2ea22827e49a1527582e3dda844d61c28b198 anchors2ds.xsl"
+sha512sums="91b8fbecf10ae4d599a93bb69e342942a0f8dc3678c3ec8151dcdaa650eefdc4168eb5e272a4e4182daa180c3f5ff33217a825e2e8f19d489b6dc6171b0b5b56 dnssec-root-20170203.tar.gz"
diff --git a/main/dnssec-root/anchors2ds.xsl b/main/dnssec-root/anchors2ds.xsl
deleted file mode 100644
index 3df47e2075..0000000000
--- a/main/dnssec-root/anchors2ds.xsl
+++ /dev/null
@@ -1,32 +0,0 @@
-<?xml version="1.0"?>
-
-<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
- <xsl:output method="text"/>
-
- <xsl:template match="/">
- <xsl:apply-templates/>
- </xsl:template>
-
- <xsl:template match="/TrustAnchor">
- <xsl:apply-templates select="Zone"/>
- <xsl:apply-templates select="KeyDigest"/>
- <xsl:text>
-</xsl:text>
- </xsl:template>
-
- <xsl:template match="KeyDigest">
- <xsl:apply-templates select="KeyTag"/>
- <xsl:apply-templates select="Algorithm"/>
- <xsl:apply-templates select="DigestType"/>
- <xsl:apply-templates select="Digest"/>
- </xsl:template>
-
- <xsl:template match="Zone">
- <xsl:value-of select="text()"/><xsl:text> IN DS </xsl:text>
- </xsl:template>
-
- <xsl:template match="*">
- <xsl:value-of select="text()"/><xsl:text> </xsl:text>
- </xsl:template>
-
-</xsl:stylesheet> \ No newline at end of file