On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <logana...@gmail.com>

> On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <rbtho...@pobox.com> wrote:
> >
> > What do I need to do to be ready for the DNSSEC Root KSK (key signing
> key) rollover on October 11, 2018?
> >
> Well, dnsmasq already commited a patch for the new trust anchor :
> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59

I was also looking into this last week, and would appreciate if anyone
wanted to review and confirm or correct my observations.

If I've understood correctly:

- An installation of dnsmasq can only possibly be impacted by the KSK
rollover if it
  - was built with HAVE_DNSSEC enabled; AND
  - is configured (--dnssec) to use DNSSEC at runtime; AND
  - is actually used as a DNS server / forwarder.

- There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA
function.  So if you're mainly using dnsmasq for DHCP and RA, as OpenStack
does, that function can't be degraded by not having installed or configured
the new DNSSEC KSK.

- While it is true that the dnsmasq repo has included the new KSK
fingerprint since February 2017 (as in the commit cited above), I couldn't
see anything hardcoded in the dnsmasq code to read and use the content of
trust-anchors.conf.  So, even if you have that file in your dnsmasq
install, and it includes the new KSK fingerprint, I _think_ you still need
to configure dnsmasq somehow to read that file and trust the fingerprints
in it (presumably at the same time as you'd configure --dnssec).

Any comments much appreciated.

Dnsmasq-discuss mailing list

Reply via email to