systemd/0348-resolved-pick-up-new-DNSSEC-KSC-from-2024.patch

From 5f02c6b7a277dae1e8d122045a3ff881eb2c334c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 3 Mar 2025 22:40:05 +0100
Subject: [PATCH] resolved: pick up new DNSSEC KSC from 2024

Import thew new key from https://data.iana.org/root-anchors/root-anchors.xml.

The old one remains valid, as per provided data.

Fixes: #36260
(cherry picked from commit 8113361e82eea2741290f7117034d356acb3ab4d)

Resolves: RHEL-77718
---
 src/resolve/resolved-dns-trust-anchor.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
index 9df93f109a..be9e487454 100644
--- a/src/resolve/resolved-dns-trust-anchor.c
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -25,6 +25,10 @@ static const uint8_t root_digest2[] =
         { 0xE0, 0x6D, 0x44, 0xB8, 0x0B, 0x8F, 0x1D, 0x39, 0xA9, 0x5C, 0x0B, 0x0D, 0x7C, 0x65, 0xD0, 0x84,
           0x58, 0xE8, 0x80, 0x40, 0x9B, 0xBC, 0x68, 0x34, 0x57, 0x10, 0x42, 0x37, 0xC7, 0xF8, 0xEC, 0x8D };
 
+static const uint8_t root_digest3[] =
+        { 0x68, 0x3D, 0x2D, 0x0A, 0xCB, 0x8C, 0x9B, 0x71, 0x2A, 0x19, 0x48, 0xB2, 0x7F, 0x74, 0x12, 0x19,
+          0x29, 0x8D, 0x0A, 0x45, 0x0D, 0x61, 0x2C, 0x48, 0x3A, 0xF4, 0x44, 0xA4, 0xC0, 0xFB, 0x2B, 0x16 };
+
 static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char *name) {
         assert(d);
 
@@ -93,6 +97,9 @@ static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {
 
         /* Add the currently valid RRs from https://data.iana.org/root-anchors/root-anchors.xml */
         r = add_root_ksk(answer, key, 20326, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest2, sizeof(root_digest2));
+        if (r < 0)
+                return r;
+        r = add_root_ksk(answer, key, 38696, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest3, sizeof(root_digest3));
         if (r < 0)
                 return r;