[ksk-rollover] RFC 5011 will not be implemented in Dnsmasq

Peter van Dijk peter.van.dijk at powerdns.com
Mon Jan 7 14:29:38 UTC 2019


On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via 
ksk-rollover wrote:

> according to Simon Kelly RFC 5011 is not sufficient for automatic 
> DNSSEC key updates and will not be implemented in Dnsmasq 
> (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg12448.html).
> As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest 
> to address this problem by discussing a suitable solution with Simon 
> Kelly and the IETF workgroups.

The message already describes the right solution. There is no work to be 
done here.

Quoting from your URL: “anything running dnsmasq has net access, by 
definition, and really should have a method of doing automatic updates 
for security fixes, etc. As such it has a method of authentication put 
in place by the software providers, and that is the best way to update 
the root key.”

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the ksk-rollover mailing list