Discussion:
[Dnsmasq-discuss] IETF RFC 5011 "Automated Updates of DNS Security (DNSSEC) Trust Anchors" supported?
Rene 'Renne' Bartsch, B.Sc. Informatics
2018-10-10 23:28:17 UTC
Permalink
Hi,

the old root-KSK will be deleted today at 16:00 UTC and the TTLs will run out not later than 48 hours.

Does Dnsmasq support IETF RFC 5011 or are there any plans to implement IETF RFC 5011?

Regards,

Renne
Simon Kelley
2018-10-15 22:23:59 UTC
Permalink
Post by Rene 'Renne' Bartsch, B.Sc. Informatics
Hi,
the old root-KSK will be deleted today at 16:00 UTC and the TTLs will
run out not later than 48 hours.
Does Dnsmasq support IETF RFC 5011 or are there any plans to implement IETF RFC 5011?
No, and probably not.

My take on this is that anything running dnsmasq has net access, by
definition, and really should have a method of doing automatic updates
for security fixes, etc. As such it has a method of authentication put
in place by the software providers, and that is the best way to update
the root key.


The RFC5011 method is surprisingly limited. Any software image with only
has the original key "baked in" will not update to the new key using
RFC5011 now, since 5011 relies on a period when the new key is published
and the old still trusted during which the host is active.


Cheers,

Simon.
Post by Rene 'Renne' Bartsch, B.Sc. Informatics
Regards,
Renne
_______________________________________________
Dnsmasq-discuss mailing list
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Loading...