resolved: pick up new DNSSEC KSC from 2024

Import thew new key from https://data.iana.org/root-anchors/root-anchors.xml.

The old one remains valid, as per provided data.

Fixes: #36260
(cherry picked from commit 8113361)
(cherry picked from commit 961e351)
(cherry picked from commit 6cb60bb)
(cherry picked from commit 6a97871)
(cherry picked from commit 7773582)
(cherry picked from commit 88eec37)

Author: poettering

src/resolve/resolved-dns-trust-anchor.c

@@ -25,6 +25,10 @@ static const uint8_t root_digest2[] =
         { 0xE0, 0x6D, 0x44, 0xB8, 0x0B, 0x8F, 0x1D, 0x39, 0xA9, 0x5C, 0x0B, 0x0D, 0x7C, 0x65, 0xD0, 0x84,
           0x58, 0xE8, 0x80, 0x40, 0x9B, 0xBC, 0x68, 0x34, 0x57, 0x10, 0x42, 0x37, 0xC7, 0xF8, 0xEC, 0x8D };
 
+static const uint8_t root_digest3[] =
+        { 0x68, 0x3D, 0x2D, 0x0A, 0xCB, 0x8C, 0x9B, 0x71, 0x2A, 0x19, 0x48, 0xB2, 0x7F, 0x74, 0x12, 0x19,
+          0x29, 0x8D, 0x0A, 0x45, 0x0D, 0x61, 0x2C, 0x48, 0x3A, 0xF4, 0x44, 0xA4, 0xC0, 0xFB, 0x2B, 0x16 };
+
 static bool dns_trust_anchor_knows_domain_positive(DnsTrustAnchor *d, const char *name) {
         assert(d);
 
@@ -93,6 +97,9 @@ static int dns_trust_anchor_add_builtin_positive(DnsTrustAnchor *d) {
 
         /* Add the currently valid RRs from https://data.iana.org/root-anchors/root-anchors.xml */
         r = add_root_ksk(answer, key, 20326, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest2, sizeof(root_digest2));
+        if (r < 0)
+                return r;
+        r = add_root_ksk(answer, key, 38696, DNSSEC_ALGORITHM_RSASHA256, DNSSEC_DIGEST_SHA256, root_digest3, sizeof(root_digest3));
         if (r < 0)
                 return r;