Created attachment 464178 [details] dnssec-root-20170203.ebuild Late last year IANA renewed the DNSSEC root signing key, and earlier this month, updated it publicly[1], causing Bug #603316. Taking a look at the dnssec-root ebuild[2], most of the workings are now irrelevant, and the entire test section is broken. I have done a rather naive attempt at rewriting this, so feel free to change it at your discretion. Among other things I have: * Moved http links to https (Even though we verify, ruling out less trusted sources is always best, eg if there is an exploitable bug while parsing these files) * Made verification part of the compile section rather than the test section * Bundled the verifying CA with the package, so as to not have to fetch it remotely. IANA also provides shasums for the files, but portage's manifests should take care of that. There are also alternatives, such IANA's own tool for this[3]. [1] https://www.icann.org/news/blog/ksk-rollover-operations-begin [2] https://gitweb.gentoo.org/repo/gentoo.git/tree/net-dns/dnssec-root/dnssec-root-20150403.ebuild [3] https://github.com/iana-org/get-trust-anchor
Created attachment 464180 [details] net-dns/dnssec-root/files/icannbundle-20170203.pem
Should be obsolete now due to latest update, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=75fcd1e0092ab0132cb453dcfbcb509a37b6bfbd