<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Hi,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>by default in the Debian/Ubuntu package it looks like this:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>root@sirius:~# dpkg -l | fgrep dnsmasq<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>ii dnsmasq 2.79-1 all Small caching DNS proxy and DHCP/TFTP server<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>ii dnsmasq-base 2.79-1 amd64 Small caching DNS proxy and DHCP/TFTP server<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>ii dnsmasq-utils 2.79-1 amd64 Utilities for manipulating DHCP leases<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>The new anchor was included long ago:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>root@sirius:~# cat /usr/share/dnsmasq-base/trust-anchors.conf<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'># The root DNSSEC trust anchor, valid as at 10/02/2017<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'># Note that this is a DS record (ie a hash of the root Zone Signing Key)<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'># If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>(this is shipped with the above mentioned “dnsmasq-base” package).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>In the default config file of dnsmasq, there is this line:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>root@sirius:/etc# cat dnsmasq.conf.dpkg-dist | fgrep trust<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>So everything is there to configure it correctly. By default DNSSEC is not enabled anyways, but a user who wants to enable it can easily do it by uncommenting and fixing the above path. IMHO, it could be improved in the debian package to have the correct path in the default file (instead of %%PREFIX%%). This looks like a bug in the debian package installer.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'>Uwe<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal>-----<o:p></o:p></p><p class=MsoNormal>Uwe Schindler<o:p></o:p></p><p class=MsoNormal>Achterdiek 19, D-28357 Bremen<o:p></o:p></p><p class=MsoNormal><a href="http://www.thetaphi.de/">http://www.thetaphi.de</a><o:p></o:p></p><p class=MsoNormal>eMail: uwe@thetaphi.de<o:p></o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> Dnsmasq-discuss <dnsmasq-discuss-bounces@lists.thekelleys.org.uk> <b>On Behalf Of </b>Neil Jerram<br><b>Sent:</b> Monday, October 8, 2018 12:19 PM<br><b>To:</b> loganaden@gmail.com<br><b>Cc:</b> dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk><br><b>Subject:</b> Re: [Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal>On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <<a href="mailto:loganaden@gmail.com">loganaden@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal>On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <<a href="mailto:rbthomas@pobox.com" target="_blank">rbthomas@pobox.com</a>> wrote:<br>><br>> What do I need to do to be ready for the DNSSEC Root KSK (key signing key) rollover on October 11, 2018?<br>><br><br>Well, dnsmasq already commited a patch for the new trust anchor :<br><br><a href="http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59" target="_blank">http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59</a><o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I was also looking into this last week, and would appreciate if anyone wanted to review and confirm or correct my observations.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If I've understood correctly:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- An installation of dnsmasq can only possibly be impacted by the KSK rollover if it<o:p></o:p></p></div><div><p class=MsoNormal> - was built with HAVE_DNSSEC enabled; AND<o:p></o:p></p></div><div><p class=MsoNormal> - is configured (--dnssec) to use DNSSEC at runtime; AND<o:p></o:p></p></div><div><p class=MsoNormal> - is actually used as a DNS server / forwarder.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA function. So if you're mainly using dnsmasq for DHCP and RA, as OpenStack does, that function can't be degraded by not having installed or configured the new DNSSEC KSK. <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- While it is true that the dnsmasq repo has included the new KSK fingerprint since February 2017 (as in the commit cited above), I couldn't see anything hardcoded in the dnsmasq code to read and use the content of trust-anchors.conf. So, even if you have that file in your dnsmasq install, and it includes the new KSK fingerprint, I _think_ you still need to configure dnsmasq somehow to read that file and trust the fingerprints in it (presumably at the same time as you'd configure --dnssec).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Any comments much appreciated.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal> Neil<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></div></body></html>