[Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?
Rick Thomas
rbthomas at pobox.com
Sun Oct 7 10:52:24 BST 2018
What do I need to do to be ready for the DNSSEC Root KSK (key signing key) rollover on October 11, 2018?
As mentioned in CircleID article at
http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
and the ICANN page at
• https://www.icann.org/kskroll
I’m running a more or less stock-out-of-the-box Debian Stretch with the latest (for Stretch) dnsmasq version 2.76-5+deb9u1.
> cat /usr/share/dnsmasq-base/trust-anchors.conf
> # The root DNSSEC trust anchor, valid as at 30/01/2014
>
> # Note that this is a DS record (ie a hash of the root Zone Signing Key)
> # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
>
> trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
Which, IIUC, says it’s using root trust anchor ID 19036 extracted on Jan 30, 2014, not ID 20326 extracted any time in the last 12 months.
Is there an update I have missed applying? I see that Debian Sid is on version 2.79-1.
Thanks!
Rick
More information about the Dnsmasq-discuss
mailing list