-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I've considered it, and in an ideal world would like to implement it. My experience is the _nothing_ to do with DNSSEC is "not too difficult" and, to be honest, any system deploying the releases of dnsmasq with DNSSEC to-date which can't be updated is in a bad way anyway. I hope we're close to a stable implementation now, so maybe now is the time to start thinking about this. Of course this is only relevant of the root key really does get rolled sometime soon, and if that doesn't cause the end of world.
My ideal would be to a have a stand-alone RFC5011 daemon, which is responsible for keeping the OS's idea of the root key(s) up-to-date. Debian already has a package which provides a central copy of the root keys, and dnsmasq will use these is it's installed. Having something which does that but dynamically updates them would be good. Cheers, Simon. On 23/07/15 10:18, Michael Tremer wrote: > Hello Simon, hello list, > > I was just wondering if someone has ever considered to support > RFC5011 in dnsmasq: > > https://tools.ietf.org/html/rfc5011 > > This will automatically update the trust anchor in case the KSK of > the root zone is replaced which will probably happen this year. > > The implementation should not be too difficult. Most of the stuff > that is required is already there. dnsmasq needs to fetch the > DNSKEY record(s) of the . zone regularly and check if the KSK has > changed. If so the signature needs to be validated of course and > then the new key material needs to be stored somewhere on disk. > > If this is not implemented all instances that use DNSSEC won't work > any more. As dnsmasq is often deployed on systems that are not too > regularly updated (hardware routers and so on) I think it is a > good idea to implement this RFC. > > As far as I know unbound and others support this RFC. > > Best, -Michael > > > > _______________________________________________ Dnsmasq-discuss > mailing list Dnsmasqemail@example.com > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBCAAGBQJVtnjmAAoJEBXN2mrhkTWifQIP/i7wSmsTabBA8BjO03S/egat EU9x6MEfeJ7Gteud/e/NcdnBGbJBl24Qn3u12v8cGF9nBp/b4h/90rcjBLjbjMvV 7Tfy7yeUq7yO756rEWE5odOluU9E7jPS9+T9/Rq9TuI3rcwXS/RQBcO7Q/AQnm9I E7vX+H/uxEln9uo94F61eezyx9QkIysibhtvma02a3dpkr1v42biqNO4E1TCZ0Sk vPbeQmEjZmXOULznkCUAVwCPoC6r1rEe6OSPRNHC03TWvhmHhAfHyryBk3D7cjpa Uo0vZkboZZqnEatEdMKdF+1G0/I2+TbrMocGDupeGapp/dy8gIDtQ9pfLAmfS0JP nche3y9HehAGsz/jOJ+YRH7ffGqCOlsE9hCTVXQontg2RDLbIdMfKo8ife1c4U5j 4ET6Dk/Q2c2cH8F5tHZTTcOGbaA8K85pHkiX1qeC17ju4QnZMMzTO1MnLyF8Kmok sPPoYuBAwah8WgAqQhll0RJoDpUkDGO/3HVzRc+nvyvo+g1WnXTj/62q4rZC18wq ZHu7qkjY2asD0MrX4kN4Ao8etXzvVf++a7HMaIXwcS+qPEfspNJmBv7axkKLzyTZ FLgPUHIpCRF4NIeV4h9DwvpUrgSTGovO3vJ9EoLXHtsd/TjxwR0JHfXHzpCW+L05 1/7ylTRUFWVPiHL2oKrG =Kvth -----END PGP SIGNATURE----- _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqfirstname.lastname@example.org http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss