[Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?

Uwe Schindler uwe at thetaphi.de
Mon Oct 8 13:22:01 BST 2018


Hi,

 

by default in the Debian/Ubuntu package it looks like this:

 

root at sirius:~# dpkg -l | fgrep dnsmasq

ii  dnsmasq                               2.79-1                            all          Small caching DNS proxy and DHCP/TFTP server

ii  dnsmasq-base                          2.79-1                            amd64        Small caching DNS proxy and DHCP/TFTP server

ii  dnsmasq-utils                         2.79-1                            amd64        Utilities for manipulating DHCP leases

 

The new anchor was included long ago:

 

root at sirius:~# cat /usr/share/dnsmasq-base/trust-anchors.conf

# The root DNSSEC trust anchor, valid as at 10/02/2017

 

# Note that this is a DS record (ie a hash of the root Zone Signing Key)

# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml

 

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

 

(this is shipped with the above mentioned “dnsmasq-base” package).

 

In the default config file of dnsmasq, there is this line:

 

root at sirius:/etc# cat dnsmasq.conf.dpkg-dist  | fgrep trust

#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf

 

So everything is there to configure it correctly. By default DNSSEC is not enabled anyways, but a user who wants to enable it can easily do it by uncommenting and fixing the above path. IMHO, it could be improved in the debian package to have the correct path in the default file (instead of %%PREFIX%%). This looks like a bug in the debian package installer.

 

Uwe

 

-----

Uwe Schindler

Achterdiek 19, D-28357 Bremen

http://www.thetaphi.de <http://www.thetaphi.de/> 

eMail: uwe at thetaphi.de

 

From: Dnsmasq-discuss <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> On Behalf Of Neil Jerram
Sent: Monday, October 8, 2018 12:19 PM
To: loganaden at gmail.com
Cc: dnsmasq-discuss <dnsmasq-discuss at lists.thekelleys.org.uk>
Subject: Re: [Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 11?

 

On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <loganaden at gmail.com <mailto:loganaden at gmail.com> > wrote:

On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <rbthomas at pobox.com <mailto:rbthomas at pobox.com> > wrote:
>
> What do I need to do to be ready for the DNSSEC Root KSK (key signing key) rollover on October 11, 2018?
>

Well, dnsmasq already commited a patch for the new trust anchor :

http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59

 

I was also looking into this last week, and would appreciate if anyone wanted to review and confirm or correct my observations.

 

If I've understood correctly:

 

- An installation of dnsmasq can only possibly be impacted by the KSK rollover if it

  - was built with HAVE_DNSSEC enabled; AND

  - is configured (--dnssec) to use DNSSEC at runtime; AND

  - is actually used as a DNS server / forwarder.

 

- There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA function.  So if you're mainly using dnsmasq for DHCP and RA, as OpenStack does, that function can't be degraded by not having installed or configured the new DNSSEC KSK. 

 

- While it is true that the dnsmasq repo has included the new KSK fingerprint since February 2017 (as in the commit cited above), I couldn't see anything hardcoded in the dnsmasq code to read and use the content of trust-anchors.conf.  So, even if you have that file in your dnsmasq install, and it includes the new KSK fingerprint, I _think_ you still need to configure dnsmasq somehow to read that file and trust the fingerprints in it (presumably at the same time as you'd configure --dnssec).

 

Any comments much appreciated.

 

     Neil

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20181008/d2f3fba4/attachment.html>


More information about the Dnsmasq-discuss mailing list