* [Bug Infrastructure/32262] New: dnssec transition from RSASHA1
@ 2024-10-10 19:00 fche at redhat dot com
2024-10-10 19:05 ` [Bug Infrastructure/32262] " fche at redhat dot com
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: fche at redhat dot com @ 2024-10-10 19:00 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=32262
Bug ID: 32262
Summary: dnssec transition from RSASHA1
Product: sourceware
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: Infrastructure
Assignee: overseers at sourceware dot org
Reporter: fche at redhat dot com
Target Milestone: ---
For 10ish years, sourceware.org's dns presence has been signed with dnssec, but
using algorithms that are being deprecated. Apparently it's time to bump
things up. This requires generating new keys and updating our own DNS as well
as the .org registry.
Will document the work required here.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/32262] dnssec transition from RSASHA1
2024-10-10 19:00 [Bug Infrastructure/32262] New: dnssec transition from RSASHA1 fche at redhat dot com
@ 2024-10-10 19:05 ` fche at redhat dot com
2024-10-11 18:33 ` fche at redhat dot com
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: fche at redhat dot com @ 2024-10-10 19:05 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=32262
Frank Ch. Eigler <fche at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ian at airs dot com
--- Comment #1 from Frank Ch. Eigler <fche at redhat dot com> ---
/var/named:
[root@server2 named]# dnssec-keygen -a ECDSAP256SHA256 -n ZONE sourceware.org
Generating key pair.
Ksourceware.org.+013+64003
[root@server2 named]# dnssec-keygen -a ECDSAP256SHA256 -f KSK sourceware.org
Generating key pair.
Ksourceware.org.+013+27852
[root@server2 named]# dnssec-dsfromkey Ksourceware.org.+013+64003.key
sourceware.org. IN DS 64003 13 1 73963C89925B738A606A8D44A5DED8E558D030FA
sourceware.org. IN DS 64003 13 2
7999DAFA92E8F5A47B90170D1645E220325E825432523B6889F4498546573159
[root@server2 named]# dnssec-dsfromkey Ksourceware.org.+013+27852.key
sourceware.org. IN DS 27852 13 1 9305926FD5D0D91D49E44917226435EDB0794DFF
sourceware.org. IN DS 27852 13 2
09B86E2AA44D22203DB4AE438FBA4B5B10B4A4BB854D79D2E4C1430E1CB0F345
The two "DS ... 13 2" entries need to replace those currently in
sourceware.org's registrar, around the same time we reconfigure sourceware's
own DNS server to switch to using these keys.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/32262] dnssec transition from RSASHA1
2024-10-10 19:00 [Bug Infrastructure/32262] New: dnssec transition from RSASHA1 fche at redhat dot com
2024-10-10 19:05 ` [Bug Infrastructure/32262] " fche at redhat dot com
@ 2024-10-11 18:33 ` fche at redhat dot com
2024-10-11 21:48 ` ian at airs dot com
2024-10-11 22:12 ` fche at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fche at redhat dot com @ 2024-10-11 18:33 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=32262
--- Comment #2 from Frank Ch. Eigler <fche at redhat dot com> ---
Sourceware BIND is now serving its zone with both sets of keys. Awaiting the
registrar DS updates to finish the transition by removing the old pair from
circulation.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/32262] dnssec transition from RSASHA1
2024-10-10 19:00 [Bug Infrastructure/32262] New: dnssec transition from RSASHA1 fche at redhat dot com
2024-10-10 19:05 ` [Bug Infrastructure/32262] " fche at redhat dot com
2024-10-11 18:33 ` fche at redhat dot com
@ 2024-10-11 21:48 ` ian at airs dot com
2024-10-11 22:12 ` fche at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: ian at airs dot com @ 2024-10-11 21:48 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=32262
--- Comment #3 from Ian Lance Taylor <ian at airs dot com> ---
The records have been updated at the registrar. Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Bug Infrastructure/32262] dnssec transition from RSASHA1
2024-10-10 19:00 [Bug Infrastructure/32262] New: dnssec transition from RSASHA1 fche at redhat dot com
` (2 preceding siblings ...)
2024-10-11 21:48 ` ian at airs dot com
@ 2024-10-11 22:12 ` fche at redhat dot com
3 siblings, 0 replies; 5+ messages in thread
From: fche at redhat dot com @ 2024-10-11 22:12 UTC (permalink / raw)
To: overseers
https://sourceware.org/bugzilla/show_bug.cgi?id=32262
Frank Ch. Eigler <fche at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #4 from Frank Ch. Eigler <fche at redhat dot com> ---
Thanks a lot, it looks fine, and passes dnssec from polly.osci.io and
https://dnsviz.net/d/sourceware.org/dnssec/
--
You are receiving this mail because:
You are the assignee for the bug.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-10-11 22:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-10-10 19:00 [Bug Infrastructure/32262] New: dnssec transition from RSASHA1 fche at redhat dot com
2024-10-10 19:05 ` [Bug Infrastructure/32262] " fche at redhat dot com
2024-10-11 18:33 ` fche at redhat dot com
2024-10-11 21:48 ` ian at airs dot com
2024-10-11 22:12 ` fche at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).