[Dnsmasq-discuss] IETF RFC 5011 "Automated Updates of DNS Security (DNSSEC) Trust Anchors" supported?
Simon Kelley
simon at thekelleys.org.uk
Mon Oct 15 23:23:59 BST 2018
On 11/10/18 00:28, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> Hi,
>
> the old root-KSK will be deleted today at 16:00 UTC and the TTLs will
> run out not later than 48 hours.
>
> Does Dnsmasq support IETF RFC 5011 or are there any plans to implement
> IETF RFC 5011?
>
No, and probably not.
My take on this is that anything running dnsmasq has net access, by
definition, and really should have a method of doing automatic updates
for security fixes, etc. As such it has a method of authentication put
in place by the software providers, and that is the best way to update
the root key.
The RFC5011 method is surprisingly limited. Any software image with only
has the original key "baked in" will not update to the new key using
RFC5011 now, since 5011 relies on a period when the new key is published
and the old still trusted during which the host is active.
Cheers,
Simon.
> Regards,
>
> Renne
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
More information about the Dnsmasq-discuss
mailing list