From 62b3b1e931ac7a7e8c521f2b7a7e90ac5d85d52d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vladimir.cunat@nic.cz>
Date: Mon, 10 Jun 2024 16:05:41 +0200
Subject: [PATCH] etc/: add the fresh DNSSEC root key "KSK-2024" already

The key still won't be used for some time, two years maybe,
but I think it's better to preemptively trust it already.
(outdated machines, etc.)

Some evidence that it's not just a hash of *my* private key:
https://www.iana.org/dnssec/ceremonies/53-2
https://data.iana.org/ksk-ceremony/53-2/kskm-keymaster-20240426-173035-995.log
https://www.youtube.com/live/gw4PFhtnVpk?si=C8zevM3nG9O0XAJr&t=12726
---
 NEWS          | 8 ++++++++
 etc/root.keys | 1 +
 2 files changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index 311d7f31d..0b46d3780 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Knot Resolver 5.7.4 (2024-06-dd)
+================================
+
+Improvements
+------------
+- add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)
+
+
 Knot Resolver 5.7.3 (2024-05-30)
 ================================
 
diff --git a/etc/root.keys b/etc/root.keys
index e292b5a7b..3009e81f2 100644
--- a/etc/root.keys
+++ b/etc/root.keys
@@ -1 +1,2 @@
 . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
+. IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16
-- 
2.47.2