dns-root-data: add DS for the new KSK-2024

The key still won't be used for some time, two years maybe, and I've been unable to find the DNSKEY itself yet, but I think it's better to preemptively trust at least the DS already. (outdated machines, etc.) Some evidence that it's not just a hash of *my* private key: https://www.iana.org/dnssec/ceremonies/53-2 https://data.iana.org/ksk-ceremony/53-2/kskm-keymaster-20240426-173035-995.log https://www.youtube.com/live/gw4PFhtnVpk?si=C8zevM3nG9O0XAJr&t=12726 I also used exactly the same root.ds in knot-resolver upstream: https://gitlab.nic.cz/knot/knot-resolver/-/merge_requests/1556
2024-11-22 23:13:19 +00:00 · 2024-06-20 19:00:58 +02:00 · 2024-06-20 19:00:58 +02:00 · 0a8814545a
commit 0a8814545a
parent 868f39101b
2 changed files with 2 additions and 1 deletions
--- a/pkgs/data/misc/dns-root-data/default.nix
+++ b/pkgs/data/misc/dns-root-data/default.nix
@ -20,7 +20,7 @@ in

 stdenv.mkDerivation {
  pname = "dns-root-data";
-  version = "2023-11-27";
+  version = "2024-06-20";

  buildCommand = ''
    mkdir $out
--- a/pkgs/data/misc/dns-root-data/root.ds
+++ b/pkgs/data/misc/dns-root-data/root.ds
@ -1 +1,2 @@
 . IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
+. IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16