[Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?
Neil Jerram
neil at tigera.io
Mon Oct 8 11:19:14 BST 2018
On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <loganaden at gmail.com>
wrote:
> On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <rbthomas at pobox.com> wrote:
> >
> > What do I need to do to be ready for the DNSSEC Root KSK (key signing
> key) rollover on October 11, 2018?
> >
>
> Well, dnsmasq already commited a patch for the new trust anchor :
>
>
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59
I was also looking into this last week, and would appreciate if anyone
wanted to review and confirm or correct my observations.
If I've understood correctly:
- An installation of dnsmasq can only possibly be impacted by the KSK
rollover if it
- was built with HAVE_DNSSEC enabled; AND
- is configured (--dnssec) to use DNSSEC at runtime; AND
- is actually used as a DNS server / forwarder.
- There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA
function. So if you're mainly using dnsmasq for DHCP and RA, as OpenStack
does, that function can't be degraded by not having installed or configured
the new DNSSEC KSK.
- While it is true that the dnsmasq repo has included the new KSK
fingerprint since February 2017 (as in the commit cited above), I couldn't
see anything hardcoded in the dnsmasq code to read and use the content of
trust-anchors.conf. So, even if you have that file in your dnsmasq
install, and it includes the new KSK fingerprint, I _think_ you still need
to configure dnsmasq somehow to read that file and trust the fingerprints
in it (presumably at the same time as you'd configure --dnssec).
Any comments much appreciated.
Neil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20181008/63d4eb86/attachment.html>
More information about the Dnsmasq-discuss
mailing list