Re: DNS Key rollover for dnsmasq [SOLVED}
On Oct 7, 2018, at 3:36 AM, Eduardo M KALINOWSKI wrote: > On 07-10-2018 07:11, Rick Thomas wrote: >> On further study, it seems that (in Debian Stretch, at least) the root KSK’s >> used by dnsmasq are taken from the file /usr/share/dns/root.ds, which is >> provided by the package dns-root-data; and that package seems to be part of >> the standard Stretch installation. That file lists both keys (the new >> “20326” and the old “19036”). So it’s all set to go. No need to panic… (-: > > Where did you get that information from? I found nothing about > dns-root-data in dnsmasq package. > > I'd just add a new trust-anchor to the configuration. Just copy and > paste from https://github.com/imp/dnsmasq/blob/master/trust-anchors.conf > > -- > O que eu temo não e a estrategia do inimigo, mas os nossos > erros > -- Pericles, filosofo grego > > Eduardo M KALINOWSKI > edua...@kalinowski.com.br Hi Eduardo, I got it from “ps auww `prep dnsmasq`” then following up what I saw by looking in /etc/init.d/dnsmasq, which is called by systemd in “/lib/systemd/system/dnsmasq.service” (as is the case for lots of services that still rely on /etc/init.d for startup). Enjoy! Rick
Re: DNS Key rollover
Hi there On 04/10/2018 20:32, Reco wrote: Please do not top post. On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote: Hi, Henning. I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated. I don't know anything about bind. How do I know what bind version I am running, and if I need to do anything regarding the change you mentioned? Stretch's bind has this public part of root's KSK: # grep -A2 20326 /etc/bind/bind.keys # This key (20326) is to be published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers I have an old config with just contains 19036. However, the mkeys file in /var/cache/bind/ contains both. I think this is due to 'dnssec-validation auto' in named.conf. If you have the same - there's nothing to do. If you don't - DNSSEC will stop working for you in seven days. If you do not use BIND - there's nothing to do. Regards, Rob
Re: DNS Key rollover for dnsmasq [SOLVED}
Hi there On 07/10/2018 12:36, Eduardo M KALINOWSKI wrote: On 07-10-2018 07:11, Rick Thomas wrote: On further study, it seems that (in Debian Stretch, at least) the root KSK’s used by dnsmasq are taken from the file /usr/share/dns/root.ds, which is provided by the package dns-root-data; and that package seems to be part of the standard Stretch installation. That file lists both keys (the new “20326” and the old “19036”). So it’s all set to go. No need to panic… (-: Where did you get that information from? I found nothing about dns-root-data in dnsmasq package. It depends on dnsmasq-base, which recommends dns-root-data. Stretch bind9 does not depend on dns-root-data. Backports does. I'd just add a new trust-anchor to the configuration. Just copy and paste from https://github.com/imp/dnsmasq/blob/master/trust-anchors.conf Regards, Rob
Re: DNS Key rollover for dnsmasq [SOLVED}
On 07-10-2018 07:11, Rick Thomas wrote: > On further study, it seems that (in Debian Stretch, at least) the root KSK’s > used by dnsmasq are taken from the file /usr/share/dns/root.ds, which is > provided by the package dns-root-data; and that package seems to be part of > the standard Stretch installation. That file lists both keys (the new > “20326” and the old “19036”). So it’s all set to go. No need to panic… (-: Where did you get that information from? I found nothing about dns-root-data in dnsmasq package. I'd just add a new trust-anchor to the configuration. Just copy and paste from https://github.com/imp/dnsmasq/blob/master/trust-anchors.conf -- O que eu temo não e a estrategia do inimigo, mas os nossos erros -- Pericles, filosofo grego Eduardo M KALINOWSKI edua...@kalinowski.com.br
Re: DNS Key rollover for dnsmasq [SOLVED}
H… On further study, it seems that (in Debian Stretch, at least) the root KSK’s used by dnsmasq are taken from the file /usr/share/dns/root.ds, which is provided by the package dns-root-data; and that package seems to be part of the standard Stretch installation. That file lists both keys (the new “20326” and the old “19036”). So it’s all set to go. No need to panic… (-: Enjoy! Rick
Re: DNS Key rollover
On Oct 4, 2018, at 11:32 AM, Reco wrote: > On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote: >> Hi, Henning. >> >> I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated. >> >> I don't know anything about bind. How do I know what bind version I am >> running, and if I need to do anything regarding the change you mentioned? > > Stretch's bind has this public part of root's KSK: > > # grep -A2 20326 /etc/bind/bind.keys ># This key (20326) is to be published in the root zone in 2017. ># Servers which were already using the old key (19036) should ># roll seamlessly to this new one via RFC 5011 rollover. Servers > > If you have the same - there's nothing to do. > If you don't - DNSSEC will stop working for you in seven days. > If you do not use BIND - there's nothing to do. > > Reco How about if I’m using dnsmasq? I’m running a more or less stock stretch with dnsmasq and this is what I see when I go looking for trust-anchors: cat /usr/share/dnsmasq-base/trust-anchors.conf # The root DNSSEC trust anchor, valid as at 30/01/2014 # Note that this is a DS record (ie a hash of the root Zone Signing Key) # If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 Which, IIUC, says it’s using root trust anchor ID 19036 extracted on Jan 30, 2014, not ID 20326 extracted any time in the last 12 months. Is there an update I have missed applying? Thanks! Rick
Re: DNS Key rollover
On Thu, Oct 4, 2018 at 2:33 PM Reco wrote: > Hi. > > Please do not top post. > > On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote: > > Hi, Henning. > > > > I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated. > > > > I don't know anything about bind. How do I know what bind version I am > > running, and if I need to do anything regarding the change you mentioned? > > Stretch's bind has this public part of root's KSK: > > # grep -A2 20326 /etc/bind/bind.keys > # This key (20326) is to be published in the root zone in 2017. > # Servers which were already using the old key (19036) should > # roll seamlessly to this new one via RFC 5011 rollover. Servers > > If you have the same - there's nothing to do. > If you don't - DNSSEC will stop working for you in seven days. > If you do not use BIND - there's nothing to do. > > Reco > Hi, guys. I don't even know what bind is. But did some checking. AFAIK I never installed it, don't use it, and it does not appear to exist on my system. So apparently it is irrelevant for me, and will be ignored for now. Thanks for the info.
Re: DNS Key rollover
Hi. Please do not top post. On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote: > Hi, Henning. > > I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated. > > I don't know anything about bind. How do I know what bind version I am > running, and if I need to do anything regarding the change you mentioned? Stretch's bind has this public part of root's KSK: # grep -A2 20326 /etc/bind/bind.keys # This key (20326) is to be published in the root zone in 2017. # Servers which were already using the old key (19036) should # roll seamlessly to this new one via RFC 5011 rollover. Servers If you have the same - there's nothing to do. If you don't - DNSSEC will stop working for you in seven days. If you do not use BIND - there's nothing to do. Reco
Re: DNS Key rollover
On 10/4/2018 8:15 PM, Default User wrote: > Hi, Henning. > > I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated. > > I don't know anything about bind. How do I know what bind version I am > running, and if I need to do anything regarding the change you mentioned? > Are you using BIND at all? -- John Doe
Re: DNS Key rollover
Hi, Henning. I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated. I don't know anything about bind. How do I know what bind version I am running, and if I need to do anything regarding the change you mentioned? On Thu, Oct 4, 2018, 09:11 Henning Follmann wrote: > Hello Everybody, > just a small reminder. In one week (yes seven days) a new root anker must > be used for dnssec resolver. > If you run bind9 from current debian stretch you should be fine. > If you roll your own bind.keys file make sure the key with serial > 20326 is loaded. > > happy resolving, > -H > > > -- > Henning Follmann | hfollm...@itcfollmann.com > >
