[ksk-rollover] RFC 5011 will not be implemented in Dnsmasq
dns at fl1ger.de
Mon Jan 7 14:51:13 UTC 2019
On 7 Jan 2019, at 15:29, Peter van Dijk wrote:
> On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via
> ksk-rollover wrote:
>> according to Simon Kelly RFC 5011 is not sufficient for automatic
>> DNSSEC key updates and will not be implemented in Dnsmasq
>> As the majority of SoHo routers uses Dnsmasq as DNS resolver I
>> suggest to address this problem by discussing a suitable solution
>> with Simon Kelly and the IETF workgroups.
> The message already describes the right solution. There is no work to
> be done here.
Well we should make sure that we publish the new root key (not
necessarily in DNS), and use it in updated software as soon as possible
as it increases the likelihood of an upgrade between publishing and
usage of the key.
I think most of the software vendors that use RFC5011 still supply the
latest root key in the distribution.
More information about the ksk-rollover