dns-root-data¶

See README.Debian for general guidelines.

Salsa CI: as of 2025-08, only provides http/https outgoing access, direct DNS access is blocked, so the DEP8 “baseline” test can’t run. See autopkgtest to run it locally. Should work on ELTS CI.

Manual testing with BIND and Unbound:

dpkg -i dns-root-data_new_all.dpkg

apt install bind9 bind9-dnsutils  # buster,strech: dnsutils
tail /var/log/syslog

# stretch: bind9 doesn't use dns-root-data
# (also unbound/stretch only uses root.key and has fallbacks)
ln -nfs /usr/share/dns/root.hints /etc/bind/db.root
service bind9 restart

# DNS
dig debian.org @127.0.0.1

# DNSSEC
# stretch: delv is provided by bind9 rather than dnsutils
delv debian.org @127.0.0.1
delv debian.org @127.0.0.1 | grep 'fully validated'

dig debian.org +dnssec @127.0.0.1
dig DNSKEY debian.org @127.0.0.1
dig DS debian.org +trace @127.0.0.1

# Ensure that bind9 is actually using our data
service bind9 stop
mv /usr/share/dns /usr/share/dns.bak
mkdir /usr/share/dns/
touch /usr/share/dns/root.hints
service bind9 start
tail /var/log/syslog
delv debian.org @127.0.0.1  # SERVFAIL

# unbound -- because bind9 doesn't appear to use root.key,
# while unbound initializes from /usr/share/doc/root.key
apt purge -f bind9
apt install -f unbound
service unbound stop
rm -f /var/lib/unbound/root.key
service unbound start
grep 'copying from /usr/share/dns/root.key' /var/log/syslog

# dig, delv, etc. again

dns-root-data¶

Debian LTS team

Navigation

Related Topics