Use the SQIsign root zone keys

2025-03-12 12:33:34 +01:00
parent a5ae1656f3
commit 4018a34d04
2 changed files with 14 additions and 75 deletions
--- a/bind.keys
+++ b/bind.keys
@@ -37,23 +37,7 @@
 # anchor information for the root zone.

 trust-anchors {
-        # This key (20326) was published in the root zone in 2017, and
-        # is scheduled to be phased out starting in 2025. It will remain
-        # in the root zone until some time after its successor key has
-        # been activated. It will remain this file until it is removed
-        # from the root zone.
-
-        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
-                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
-                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
-                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
-                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
-                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
-                R1AkUTV74bU=";
-        # This key (38696) will be pre-published in the root zone in 2025
-        # and is scheduled to begin signing in late 2026. At that time,
-        # servers which were already using the old key (20326) should roll
-        # seamlessly to this new one via RFC 5011 rollover.
-        . initial-ds 38696 8 2 "683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A
-        4C0FB2B16";
+	. initial-key 257 3 17
+	"3+O0xDZt9XYR4BA8bjXcN3JilnpLpDHIUxN26v08rQFa8pyWZCM1kMRg
+	YKN+n/zZcd7fq2KUplqISyiT6CGeASM=";
 };
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -37,67 +37,22 @@
 /*
 * Also update 'upcoming' when updating 'root_ns'.
 */
-static char root_ns[] =
-	";\n"
-	"; Internet Root Nameservers\n"
-	";\n"
-	"$TTL 518400\n"
-	".                       518400  IN      NS      A.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      B.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      C.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      D.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      E.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      F.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      G.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      H.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      I.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      J.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      K.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      L.ROOT-SERVERS.NET.\n"
-	".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
-	"A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
-	"A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
-	"B.ROOT-SERVERS.NET.     3600000 IN      A       170.247.170.2\n"
-	"B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2801:1b8:10::b\n"
-	"C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
-	"C.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2::c\n"
-	"D.ROOT-SERVERS.NET.     3600000 IN      A       199.7.91.13\n"
-	"D.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2d::d\n"
-	"E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10\n"
-	"E.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:a8::e\n"
-	"F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241\n"
-	"F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2F::F\n"
-	"G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4\n"
-	"G.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:12::d0d\n"
-	"H.ROOT-SERVERS.NET.     3600000 IN      A       198.97.190.53\n"
-	"H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::53\n"
-	"I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17\n"
-	"I.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fe::53\n"
-	"J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30\n"
-	"J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:C27::2:30\n"
-	"K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129\n"
-	"K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7FD::1\n"
-	"L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42\n"
-	"L.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:9f::42\n"
-	"M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33\n"
-	"M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:DC3::35\n";
-
-static unsigned char b_data[] = "\001b\014root-servers\003net";
+static char root_ns[] = ";\n"
+			"; Internet Root Nameservers\n"
+			";\n"
+			"$TTL 518400\n"
+			".                       518400  IN      NS      "
+			"himiko.vs.mythic-beasts.com.\n"
+			"himiko.vs.mythic-beasts.com.     3600000 IN      A    "
+			"   46.235.229.165\n"
+			"himiko.vs.mythic-beasts.com.     3600000 IN      AAAA "
+			"   2a00:1098:9a::1\n";

 static struct upcoming {
 	const dns_name_t name;
 	dns_rdatatype_t type;
 	isc_stdtime_t time;
-} upcoming[] = { {
-			 .name = DNS_NAME_INITABSOLUTE(b_data),
-			 .type = dns_rdatatype_a,
-			 .time = 1701086400 /* November 27 2023, 12:00 UTC */
-		 },
-		 {
-			 .name = DNS_NAME_INITABSOLUTE(b_data),
-			 .type = dns_rdatatype_aaaa,
-			 .time = 1701086400 /* November 27 2023, 12:00 UTC */
-		 } };
+} upcoming[] = { 0 };

 static isc_result_t
 in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {