0a8814545a
The key still won't be used for some time, two years maybe, and I've been unable to find the DNSKEY itself yet, but I think it's better to preemptively trust at least the DS already. (outdated machines, etc.) Some evidence that it's not just a hash of *my* private key: https://www.iana.org/dnssec/ceremonies/53-2 https://data.iana.org/ksk-ceremony/53-2/kskm-keymaster-20240426-173035-995.log https://www.youtube.com/live/gw4PFhtnVpk?si=C8zevM3nG9O0XAJr&t=12726 I also used exactly the same root.ds in knot-resolver upstream: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1556
38 lines
973 B
Nix
38 lines
973 B
Nix
{ stdenv, lib, fetchurl }:
|
|
|
|
let
|
|
|
|
rootHints = fetchurl {
|
|
# Original source https://www.internic.net/domain/named.root
|
|
# occasionally suffers from pointless hash changes,
|
|
# and having stable sources for older versions has advantages, too.
|
|
urls = map (prefix: prefix + "d9c96ae96f066a85d7/etc/root.hints") [
|
|
"https://gitlab.nic.cz/knot/knot-resolver/raw/"
|
|
"https://raw.githubusercontent.com/CZ-NIC/knot-resolver/"
|
|
];
|
|
hash = "sha256-4lG/uPnNHBNIZ/XIeDM1w3iukrpeW0JIjTnGSwkJ8U4=";
|
|
};
|
|
|
|
rootKey = ./root.key;
|
|
rootDs = ./root.ds;
|
|
|
|
in
|
|
|
|
stdenv.mkDerivation {
|
|
pname = "dns-root-data";
|
|
version = "2024-06-20";
|
|
|
|
buildCommand = ''
|
|
mkdir $out
|
|
cp ${rootHints} $out/root.hints
|
|
cp ${rootKey} $out/root.key
|
|
cp ${rootDs} $out/root.ds
|
|
'';
|
|
|
|
meta = with lib; {
|
|
description = "DNS root data including root zone and DNSSEC key";
|
|
maintainers = with maintainers; [ fpletz vcunat ];
|
|
license = licenses.gpl3Plus;
|
|
};
|
|
}
|