by default in the Debian/Ubuntu package it looks like this:


root@sirius:~# dpkg -l | fgrep dnsmasq

ii  dnsmasq                               2.79-1                            all 
         Small caching DNS proxy and DHCP/TFTP server

ii  dnsmasq-base                          2.79-1                            
amd64        Small caching DNS proxy and DHCP/TFTP server

ii  dnsmasq-utils                         2.79-1                            
amd64        Utilities for manipulating DHCP leases


The new anchor was included long ago:


root@sirius:~# cat /usr/share/dnsmasq-base/trust-anchors.conf

# The root DNSSEC trust anchor, valid as at 10/02/2017


# Note that this is a DS record (ie a hash of the root Zone Signing Key)

# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml





(this is shipped with the above mentioned “dnsmasq-base” package).


In the default config file of dnsmasq, there is this line:


root@sirius:/etc# cat dnsmasq.conf.dpkg-dist  | fgrep trust



So everything is there to configure it correctly. By default DNSSEC is not 
enabled anyways, but a user who wants to enable it can easily do it by 
uncommenting and fixing the above path. IMHO, it could be improved in the 
debian package to have the correct path in the default file (instead of 
%%PREFIX%%). This looks like a bug in the debian package installer.





Uwe Schindler

Achterdiek 19, D-28357 Bremen

http://www.thetaphi.de <http://www.thetaphi.de/> 

eMail: u...@thetaphi.de


From: Dnsmasq-discuss <dnsmasq-discuss-boun...@lists.thekelleys.org.uk> On 
Behalf Of Neil Jerram
Sent: Monday, October 8, 2018 12:19 PM
To: logana...@gmail.com
Cc: dnsmasq-discuss <dnsmasq-discuss@lists.thekelleys.org.uk>
Subject: Re: [Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct 


On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <logana...@gmail.com 
<mailto:logana...@gmail.com> > wrote:

On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <rbtho...@pobox.com 
<mailto:rbtho...@pobox.com> > wrote:
> What do I need to do to be ready for the DNSSEC Root KSK (key signing key) 
> rollover on October 11, 2018?

Well, dnsmasq already commited a patch for the new trust anchor :



I was also looking into this last week, and would appreciate if anyone wanted 
to review and confirm or correct my observations.


If I've understood correctly:


- An installation of dnsmasq can only possibly be impacted by the KSK rollover 
if it

  - was built with HAVE_DNSSEC enabled; AND

  - is configured (--dnssec) to use DNSSEC at runtime; AND

  - is actually used as a DNS server / forwarder.


- There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA 
function.  So if you're mainly using dnsmasq for DHCP and RA, as OpenStack 
does, that function can't be degraded by not having installed or configured the 


- While it is true that the dnsmasq repo has included the new KSK fingerprint 
since February 2017 (as in the commit cited above), I couldn't see anything 
hardcoded in the dnsmasq code to read and use the content of 
trust-anchors.conf.  So, even if you have that file in your dnsmasq install, 
and it includes the new KSK fingerprint, I _think_ you still need to configure 
dnsmasq somehow to read that file and trust the fingerprints in it (presumably 
at the same time as you'd configure --dnssec).


Any comments much appreciated.





Dnsmasq-discuss mailing list

Reply via email to