From: Evan Hunt <each@isc.org>
Date: Mon, 26 Aug 2024 19:13:09 +0000 (-0700)
Subject: Add the DS for the new root key (38696)
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2f8b76c5e7461bb3968ce32d94ec5ce9b6aa981;p=thirdparty%2Fbind9.git

Add the DS for the new root key (38696)

Add an 'initial-ds' entry to bind.keys for the new root key, ID
38696, scheduled for publication in January 2025.

(cherry picked from commit 609bf35075868ceca1a39b003613317d7796e6dd)
---

diff --git a/bind.keys b/bind.keys
index 6d4217f1a6d..cba4fd5027d 100644
--- a/bind.keys
+++ b/bind.keys
@@ -18,16 +18,20 @@
 # as initializing keys; thereafter, the keys in the managed key database
 # will be trusted and maintained automatically.
 #
-# These keys are current as of Mar 2019.  If any key fails to initialize
-# correctly, it may have expired.  In that event you should replace this
-# file with a current version.  The latest version of bind.keys can always
-# be obtained from ISC at https://www.isc.org/bind-keys.
+# These keys are current as of November 2024.  If any key fails to
+# initialize correctly, it may have expired. This should not occur if
+# BIND is kept up to date.
 #
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust
 # anchor information for the root zone.
 
 trust-anchors {
-        # This key (20326) was published in the root zone in 2017.
+        # This key (20326) was published in the root zone in 2017, and
+        # is scheduled to be phased out starting in 2025. It will remain
+        # in the root zone until some time after its successor key has
+        # been activated. It will remain this file until it is removed
+        # from the root zone.
+
         . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                 ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
@@ -35,4 +39,10 @@ trust-anchors {
                 oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                 RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                 R1AkUTV74bU=";
+        # This key (38696) will be pre-published in the root zone in 2025
+        # and is scheduled to begin signing in late 2026. At that time,
+        # servers which were already using the old key (20326) should roll
+        # seamlessly to this new one via RFC 5011 rollover.
+        . initial-ds 38696 8 2 "683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A
+        4C0FB2B16";
 };
diff --git a/bind.keys.h b/bind.keys.h
index 13cfc425453..45f7c9cce05 100644
--- a/bind.keys.h
+++ b/bind.keys.h
@@ -35,16 +35,20 @@
 # as initializing keys; thereafter, the keys in the managed key database\n\
 # will be trusted and maintained automatically.\n\
 #\n\
-# These keys are current as of Mar 2019.  If any key fails to initialize\n\
-# correctly, it may have expired.  In that event you should replace this\n\
-# file with a current version.  The latest version of bind.keys can always\n\
-# be obtained from ISC at https://www.isc.org/bind-keys.\n\
+# These keys are current as of November 2024.  If any key fails to\n\
+# initialize correctly, it may have expired. This should not occur if\n\
+# BIND is kept up to date.\n\
 #\n\
 # See https://data.iana.org/root-anchors/root-anchors.xml for current trust\n\
 # anchor information for the root zone.\n\
 \n\
 trust-anchors {\n\
-        # This key (20326) was published in the root zone in 2017.\n\
+        # This key (20326) was published in the root zone in 2017, and\n\
+        # is scheduled to be phased out starting in 2025. It will remain\n\
+        # in the root zone until some time after its successor key has\n\
+        # been activated. It will remain this file until it is removed\n\
+        # from the root zone.\n\
+\n\
         . initial-key 257 3 8 \"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3\n\
                 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv\n\
                 ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF\n\
@@ -52,6 +56,12 @@ trust-anchors {\n\
                 oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd\n\
                 RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN\n\
                 R1AkUTV74bU=\";\n\
+        # This key (38696) will be pre-published in the root zone in 2025\n\
+        # and is scheduled to begin signing in late 2026. At that time,\n\
+        # servers which were already using the old key (20326) should roll\n\
+        # seamlessly to this new one via RFC 5011 rollover.\n\
+        . initial-ds 38696 8 2 \"683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A\n\
+        4C0FB2B16\";\n\
 };\n\
 "
 #endif /* BIND_KEYS_H */
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 136e8062538..92daa509a0f 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -56,6 +56,10 @@ November 1987. [#rfc1035_1]_ [#rfc1035_2]_
 :rfc:`1183` - C. F. Everhart, L. A. Mamakos, R. Ullmann, P. Mockapetris. *New DNS RR
 Definitions.* October 1990.
 
+:rfc:`1521` - N. Borenstein, N. Freed - *MIME (Multipurpose Internet Mail Extensions)
+Part One: Mechanisms for Specifying and Describing the Format of Internet Message
+Bodies.* September 1993. [#rfc1521]_
+
 :rfc:`1706` - B. Manning and R. Colella. *DNS NSAP Resource Records.* October 1994.
 
 :rfc:`1712` - C. Farrell, M. Schulze, S. Pleitner, and D. Baldoni. *DNS Encoding of
@@ -120,7 +124,7 @@ System (DNS).* August 2002. [#rfc3363]_
 October 2002.
 
 :rfc:`3492` - A. Costello. *Punycode: A Bootstring Encoding of Unicode for
-Internationalized Domain Names in Applications (IDNA).* March 2003.
+Internationalized Domain Names in Applications (IDNA).* March 2003. [#idna]_
 
 :rfc:`3493` - R. Gilligan, S. Thomson, J. Bound, J. McCann, and W. Stevens.
 *Basic Socket Interface Extensions for IPv6.* March 2003.
@@ -194,7 +198,7 @@ RRSIG Resource Records for DNSSEC.* October 2009.
 
 :rfc:`5891` - J. Klensin.
 *Internationalized Domain Names in Applications (IDNA): Protocol.*
-August 2010
+August 2010 [#idna]_
 
 :rfc:`5936` - E. Lewis and A. Hoenes, Ed. *DNS Zone Transfer Protocol (AXFR).*
 June 2010.
@@ -289,7 +293,7 @@ November 2020.
 
 :rfc:`9460` - B. Schwartz, M. Bishop and E. Nygren, *Service Binding and
 Parameter Specification via the DNS (SVCB and HTTPS Resource Records).*
-November 2023.
+November 2023. [#rfc9460]_
 
 Best Current Practice RFCs
 --------------------------
@@ -343,6 +347,8 @@ Aggregation and Renumbering.* July 2000. [#rfc2874]_
 :rfc:`4074` - Y. Morishita and T. Jinmei. *Common Misbehavior Against DNS Queries for
 IPv6 Addresses.* June 2005.
 
+:rfc:`4294` - J. Loughney, Ed. - *IPv6 Node Requirements.* April 2006. [#rfc4294]_
+
 :rfc:`4431` - M. Andrews and S. Weiler. *The DNSSEC Lookaside Validation
 (DLV) DNS Resource Record.* February 2006. [#rfc4431]_