[Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?
Loganaden Velvindron
loganaden at gmail.com
Sun Oct 7 11:26:59 BST 2018
On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <rbthomas at pobox.com> wrote:
>
> What do I need to do to be ready for the DNSSEC Root KSK (key signing key) rollover on October 11, 2018?
>
Well, dnsmasq already commited a patch for the new trust anchor :
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59
> As mentioned in CircleID article at
> http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
> and the ICANN page at
> • https://www.icann.org/kskroll
>
> I’m running a more or less stock-out-of-the-box Debian Stretch with the latest (for Stretch) dnsmasq version 2.76-5+deb9u1.
>
> > cat /usr/share/dnsmasq-base/trust-anchors.conf
> > # The root DNSSEC trust anchor, valid as at 30/01/2014
> >
> > # Note that this is a DS record (ie a hash of the root Zone Signing Key)
> > # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
> >
> > trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
>
> Which, IIUC, says it’s using root trust anchor ID 19036 extracted on Jan 30, 2014, not ID 20326 extracted any time in the last 12 months.
>
> Is there an update I have missed applying? I see that Debian Sid is on version 2.79-1.
>
> Thanks!
> Rick
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list