Source: dnsmasq Version: 2.72-3+deb8u2 Severity: important Tags: patch Hi Simon,
The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October 2018 [1]. After this date, DNS resolvers will need to have the new key (KSK-2017) to perform DNSSEC validation. [1] https://www.icann.org/news/announcement-2018-08-22-en AFAICS, dnsmasq in stretch and jessie [2] currently lacks the new key, and unless the dns-root-data package is additionally installed, users relying on dnsmasq for DNS resolution may encounter problems once the rollover occurs. [2] https://sources.debian.org/src/dnsmasq/2.76-5+deb9u1/trust-anchors.conf/ https://sources.debian.org/src/dnsmasq/2.72-3+deb8u2/trust-anchors.conf/ I think cherry-picking the commit [3] should prevent this in both suites. [3] http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59 Would you agree on this change, and, would you like to prepare the uploads by yourself? I am CCing the security team to have their opinion, whether this should be handled via a security or a stable upload in stretch. Concerning jessie, following the LTS workflow is required: https://wiki.debian.org/LTS/Development If that LTS workflow is a burden for you, a member of the LTS team could take care of it. Best regards, -- Santiago P.S. The hypothetical upload could also fix CVE-2017-15107 [3] ? [3] https://security-tracker.debian.org/tracker/CVE-2017-15107
signature.asc
Description: PGP signature
