[Dnsmasq-discuss] RFC5011?

[Simon Kelley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I've considered it, and in an ideal world would like to implement it.
My experience is the _nothing_ to do with DNSSEC is "not too
difficult" and, to be honest, any system deploying the releases of
dnsmasq with DNSSEC to-date which can't be updated is in a bad way
anyway. I hope we're close to a stable implementation now, so maybe
now is the time to start thinking about this. Of course this is only
relevant of the root key really does get rolled sometime soon, and if
that doesn't cause the end of world.

My ideal would be to a have a stand-alone RFC5011 daemon, which is
responsible for keeping the OS's idea of the root key(s) up-to-date.
Debian already has a package which provides a central copy of the root
keys, and dnsmasq will use these is it's installed. Having something
which does that but dynamically updates them would be good.

Cheers,

Simon.

 On 23/07/15 10:18, Michael Tremer wrote:
> Hello Simon, hello list,
> 
> I was just wondering if someone has ever considered to support
> RFC5011 in dnsmasq:
> 
> https://tools.ietf.org/html/rfc5011
> 
> This will automatically update the trust anchor in case the KSK of
> the root zone is replaced which will probably happen this year.
> 
> The implementation should not be too difficult. Most of the stuff
> that is required is already there. dnsmasq needs to fetch the
> DNSKEY record(s) of the . zone regularly and check if the KSK has
> changed. If so the signature needs to be validated of course and
> then the new key material needs to be stored somewhere on disk.
> 
> If this is not implemented all instances that use DNSSEC won't work
> any more. As dnsmasq is often deployed on systems that are not too 
> regularly updated (hardware routers and so on) I think it is a
> good idea to implement this RFC.
> 
> As far as I know unbound and others support this RFC.
> 
> Best, -Michael
> 
> 
> 
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk 
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCAAGBQJVtnjmAAoJEBXN2mrhkTWifQIP/i7wSmsTabBA8BjO03S/egat
EU9x6MEfeJ7Gteud/e/NcdnBGbJBl24Qn3u12v8cGF9nBp/b4h/90rcjBLjbjMvV
7Tfy7yeUq7yO756rEWE5odOluU9E7jPS9+T9/Rq9TuI3rcwXS/RQBcO7Q/AQnm9I
E7vX+H/uxEln9uo94F61eezyx9QkIysibhtvma02a3dpkr1v42biqNO4E1TCZ0Sk
vPbeQmEjZmXOULznkCUAVwCPoC6r1rEe6OSPRNHC03TWvhmHhAfHyryBk3D7cjpa
Uo0vZkboZZqnEatEdMKdF+1G0/I2+TbrMocGDupeGapp/dy8gIDtQ9pfLAmfS0JP
nche3y9HehAGsz/jOJ+YRH7ffGqCOlsE9hCTVXQontg2RDLbIdMfKo8ife1c4U5j
4ET6Dk/Q2c2cH8F5tHZTTcOGbaA8K85pHkiX1qeC17ju4QnZMMzTO1MnLyF8Kmok
sPPoYuBAwah8WgAqQhll0RJoDpUkDGO/3HVzRc+nvyvo+g1WnXTj/62q4rZC18wq
ZHu7qkjY2asD0MrX4kN4Ao8etXzvVf++a7HMaIXwcS+qPEfspNJmBv7axkKLzyTZ
FLgPUHIpCRF4NIeV4h9DwvpUrgSTGovO3vJ9EoLXHtsd/TjxwR0JHfXHzpCW+L05
1/7ylTRUFWVPiHL2oKrG
=Kvth
-----END PGP SIGNATURE-----