=============
dns-root-data
=============

See `README.Debian
<https://salsa.debian.org/dns-team/dns-root-data/-/blob/debian/master/debian/README.Debian>`_
for general guidelines.

Salsa CI: as of 2025-08, only provides http/https outgoing access,
direct DNS access is blocked, so the DEP8 "baseline" test can't
run. See :doc:`autopkgtest` to run it locally. Should work on ELTS CI.

Manual testing with BIND and Unbound:

.. code-block:: bash

  dpkg -i dns-root-data_new_all.dpkg

  apt install bind9 bind9-dnsutils  # buster,strech: dnsutils
  tail /var/log/syslog

  # stretch: bind9 doesn't use dns-root-data
  # (also unbound/stretch only uses root.key and has fallbacks)
  ln -nfs /usr/share/dns/root.hints /etc/bind/db.root
  service bind9 restart

  # DNS
  dig debian.org @127.0.0.1

  # DNSSEC
  # stretch: delv is provided by bind9 rather than dnsutils
  delv debian.org @127.0.0.1
  delv debian.org @127.0.0.1 | grep 'fully validated'

  dig debian.org +dnssec @127.0.0.1
  dig DNSKEY debian.org @127.0.0.1
  dig DS debian.org +trace @127.0.0.1

  # Ensure that bind9 is actually using our data
  service bind9 stop
  mv /usr/share/dns /usr/share/dns.bak
  mkdir /usr/share/dns/
  touch /usr/share/dns/root.hints
  service bind9 start
  tail /var/log/syslog
  delv debian.org @127.0.0.1  # SERVFAIL

  # unbound -- because bind9 doesn't appear to use root.key,
  # while unbound initializes from /usr/share/doc/root.key
  apt purge -f bind9
  apt install -f unbound
  service unbound stop
  rm -f /var/lib/unbound/root.key
  service unbound start
  grep 'copying from /usr/share/dns/root.key' /var/log/syslog

  # dig, delv, etc. again

| Copyright (C) 2025  Sylvain Beucler