On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <logana...@gmail.com> wrote:
> On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <rbtho...@pobox.com> wrote: > > > > What do I need to do to be ready for the DNSSEC Root KSK (key signing > key) rollover on October 11, 2018? > > > > Well, dnsmasq already commited a patch for the new trust anchor : > > > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59 I was also looking into this last week, and would appreciate if anyone wanted to review and confirm or correct my observations. If I've understood correctly: - An installation of dnsmasq can only possibly be impacted by the KSK rollover if it - was built with HAVE_DNSSEC enabled; AND - is configured (--dnssec) to use DNSSEC at runtime; AND - is actually used as a DNS server / forwarder. - There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA function. So if you're mainly using dnsmasq for DHCP and RA, as OpenStack does, that function can't be degraded by not having installed or configured the new DNSSEC KSK. - While it is true that the dnsmasq repo has included the new KSK fingerprint since February 2017 (as in the commit cited above), I couldn't see anything hardcoded in the dnsmasq code to read and use the content of trust-anchors.conf. So, even if you have that file in your dnsmasq install, and it includes the new KSK fingerprint, I _think_ you still need to configure dnsmasq somehow to read that file and trust the fingerprints in it (presumably at the same time as you'd configure --dnssec). Any comments much appreciated. Neil
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss