[ksk-rollover] RFC 5011 will not be implemented in Dnsmasq

Ralf Weber dns at fl1ger.de
Mon Jan 7 14:51:13 UTC 2019


On 7 Jan 2019, at 15:29, Peter van Dijk wrote:

> Hello,
> On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via 
> ksk-rollover wrote:
>> according to Simon Kelly RFC 5011 is not sufficient for automatic 
>> DNSSEC key updates and will not be implemented in Dnsmasq 
>> (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg12448.html).
>> As the majority of SoHo routers uses Dnsmasq as DNS resolver I 
>> suggest to address this problem by discussing a suitable solution 
>> with Simon Kelly and the IETF workgroups.
> The message already describes the right solution. There is no work to 
> be done here.
Well we should make sure that we publish the new root key (not 
necessarily in DNS), and use it in updated software as soon as possible 
as it increases the likelihood of an upgrade between publishing and 
usage of the key.

I think most of the software vendors that use RFC5011 still supply the 
latest root key in the distribution.

So long
Ralf Weber

More information about the ksk-rollover mailing list