4 Bře
2025
4 Bře
'25
8:00
Hi,
I've found this warning in my journal:
... kresd[1071788]: [taupd ] you need to update package with trust
anchors in "/usr/share/dns/root.key" before it breaks
I don't know how to do that.
I think my system is current but just ran: apt update; apt list
--upgradable and it shows nothing regarding knot.
Thanks for any pointers,
Mike Wright
4 Bře
4 Bře
8:18
Hello.
On 04/03/2025 08.00, Mike Wright wrote:
I've found this warning in my journal:
... kresd[1071788]: [taupd ] you need to update package with trust
anchors in "/usr/share/dns/root.key" before it breaks
I don't know how to do that.
I think my system is current but just ran: apt update; apt list
--upgradable and it shows nothing regarding knot.
First of all, ICANN is super-careful, so there's no need to panic
(yet). I read that they don't plan to sign with the new key before
October 2026:
https://lists.icann.org/hyperkitty/list/root-dnssec-announce@icann.org/mess…
As I see you mentioning `apt`, I think this update is exactly what is needed
https://tracker.debian.org/news/1603458/accepted-dns-root-data-2024071801de…
and incarnations of that in various versions of Debian, Ubuntu and other
derivatives. I really hope that a well-maintained distro couldn't miss
to update this.
--Vladimir
8:31
On 3/3/25 23:18, Vladimír Čunát wrote:
Hello.
On 04/03/2025 08.00, Mike Wright wrote:
Thank you, Vladimir.
Now that I know the package name I did:
# apt install dns-root-data -y
...
dns-root-data is already the newest version (2024041801~deb12u1).
I can quit panicking about this and get back to panicking about all the
other things going on ;D
Mike Wright
I've found this warning in my journal:
... kresd[1071788]: [taupd ] you need to update package with trust
anchors in "/usr/share/dns/root.key" before it breaks
I don't know how to do that.
I think my system is current but just ran: apt update; apt list
--upgradable and it shows nothing regarding knot.
First of all, ICANN is super-careful, so there's no need to panic
(yet). I read that they don't plan to sign with the new key before
October 2026:
https://lists.icann.org/hyperkitty/list/root-dnssec-announce@icann.org/mess…
As I see you mentioning `apt`, I think this update is exactly what is
needed
https://tracker.debian.org/news/1603458/accepted-dns-root-data-2024071801de…
and incarnations of that in various versions of Debian, Ubuntu and other
derivatives. I really hope that a well-maintained distro couldn't miss
to update this.
--Vladimir
10:30
Hello,
In my case, I did add the new anchor myself (from the info @ICANN):
~$ sudo cat /usr/share/dns/root.ds
. IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
. IN DS 38696 8 2 683d2d0acb8c9b712a1948b27f741219298d0a450d612c483af444a4c0fb2b16
~$ sudo cat /usr/share/dns/root.key
. 86400 IN DNSKEY 257 3 8
AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ]
. 86400 IN DNSKEY 257 3 8
AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc=
;{id = 38696 (ksk), size = 2048b} ;;state=2 [ VALID ]
Of course, I strongly invite you not to trust what I pasted here and get the information
yourself from ICANN.
Regards,
Gabriel
Le 4 mars 2025 à 08:31, Mike Wright
<knot_at_lists_theorb_net_48qbhjm2vj0347_9f4bab04(a)icloud.com> a écrit :
On 3/3/25 23:18, Vladimír Čunát wrote:
Hello.
On 04/03/2025 08.00, Mike Wright wrote:
Thank you, Vladimir.
Now that I know the package name I did:
# apt install dns-root-data -y
...
dns-root-data is already the newest version (2024041801~deb12u1).
I can quit panicking about this and get back to panicking about all the other things
going on ;D
Mike Wright
-- I've found this warning in my journal:
... kresd[1071788]: [taupd ] you need to update package with trust anchors in
"/usr/share/dns/root.key" before it breaks
I don't know how to do that.
I think my system is current but just ran: apt update; apt list --upgradable and it shows
nothing regarding knot.
First of all, ICANN is super-careful, so there's no
need to panic (yet). I read that they don't plan to sign with the new key before
October 2026:
https://lists.icann.org/hyperkitty/list/root-dnssec-announce@icann.org/mess…
As I see you mentioning `apt`, I think this update is exactly what is needed
https://tracker.debian.org/news/1603458/accepted-dns-root-data-2024071801de…
and incarnations of that in various versions of Debian, Ubuntu and other derivatives. I
really hope that a well-maintained distro couldn't miss to update this.
--Vladimir
8
days inactive
8
days old
knot-resolver-users@lists.nic.cz
3 comments
3 participants
participants (3)
-
Mike Wright -
oui.mages_0w@icloud.com -
Vladimír Čunát