simon at thekelleys.org.uk
Mon Jul 27 19:31:02 BST 2015
-----BEGIN PGP SIGNED MESSAGE-----
I've considered it, and in an ideal world would like to implement it.
My experience is the _nothing_ to do with DNSSEC is "not too
difficult" and, to be honest, any system deploying the releases of
dnsmasq with DNSSEC to-date which can't be updated is in a bad way
anyway. I hope we're close to a stable implementation now, so maybe
now is the time to start thinking about this. Of course this is only
relevant of the root key really does get rolled sometime soon, and if
that doesn't cause the end of world.
My ideal would be to a have a stand-alone RFC5011 daemon, which is
responsible for keeping the OS's idea of the root key(s) up-to-date.
Debian already has a package which provides a central copy of the root
keys, and dnsmasq will use these is it's installed. Having something
which does that but dynamically updates them would be good.
On 23/07/15 10:18, Michael Tremer wrote:
> Hello Simon, hello list,
> I was just wondering if someone has ever considered to support
> RFC5011 in dnsmasq:
> This will automatically update the trust anchor in case the KSK of
> the root zone is replaced which will probably happen this year.
> The implementation should not be too difficult. Most of the stuff
> that is required is already there. dnsmasq needs to fetch the
> DNSKEY record(s) of the . zone regularly and check if the KSK has
> changed. If so the signature needs to be validated of course and
> then the new key material needs to be stored somewhere on disk.
> If this is not implemented all instances that use DNSSEC won't work
> any more. As dnsmasq is often deployed on systems that are not too
> regularly updated (hardware routers and so on) I think it is a
> good idea to implement this RFC.
> As far as I know unbound and others support this RFC.
> Best, -Michael
> _______________________________________________ Dnsmasq-discuss
> mailing list Dnsmasq-discuss at lists.thekelleys.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss