[Dnsmasq-discuss] RFC5011?

Michael Tremer michael.tremer at ipfire.org
Thu Jul 23 10:18:00 BST 2015

Hello Simon,
hello list,

I was just wondering if someone has ever considered to support RFC5011
in dnsmasq:


This will automatically update the trust anchor in case the KSK of the
root zone is replaced which will probably happen this year.

The implementation should not be too difficult. Most of the stuff that
is required is already there. dnsmasq needs to fetch the DNSKEY
record(s) of the . zone regularly and check if the KSK has changed. If
so the signature needs to be validated of course and then the new key
material needs to be stored somewhere on disk.

If this is not implemented all instances that use DNSSEC won't work any
more. As dnsmasq is often deployed on systems that are not too
regularly updated (hardware routers and so on) I think it is a good
idea to implement this RFC.

As far as I know unbound and others support this RFC.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150723/38f3da27/attachment.sig>

More information about the Dnsmasq-discuss mailing list