Hello Simon, hello list, I was just wondering if someone has ever considered to support RFC5011 in dnsmasq:
https://tools.ietf.org/html/rfc5011 This will automatically update the trust anchor in case the KSK of the root zone is replaced which will probably happen this year. The implementation should not be too difficult. Most of the stuff that is required is already there. dnsmasq needs to fetch the DNSKEY record(s) of the . zone regularly and check if the KSK has changed. If so the signature needs to be validated of course and then the new key material needs to be stored somewhere on disk. If this is not implemented all instances that use DNSSEC won't work any more. As dnsmasq is often deployed on systems that are not too regularly updated (hardware routers and so on) I think it is a good idea to implement this RFC. As far as I know unbound and others support this RFC. Best, -Michael
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss