On 11/10/18 00:28, Rene 'Renne' Bartsch, B.Sc. Informatics wrote:
> Hi,
> 
> the old root-KSK will be deleted today at 16:00 UTC and the TTLs will
> run out not later than 48 hours.
> 
> Does Dnsmasq support IETF RFC 5011 or are there any plans to implement
> IETF RFC 5011?
> 

No, and probably not.

My take on this is that anything running dnsmasq has net access, by
definition, and really should have a method of doing automatic updates
for security fixes, etc. As such it has a method of authentication put
in place by the software providers, and that is the best way to update
the root key.


The RFC5011 method is surprisingly limited. Any software image with only
has the original key "baked in" will not update to the new key using
RFC5011 now, since 5011 relies on a period when the new key is published
and the old still trusted during which the host is active.


Cheers,

Simon.

> Regards,
> 
> Renne
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to