[ksk-rollover] RFC 5011 will not be implemented in Dnsmasq

Rene 'Renne' Bartsch, B.Sc. Informatics ml at bartschnet.de
Mon Jan 7 18:14:53 UTC 2019

Am 07.01.19 um 15:29 schrieb Peter van Dijk:
> Hello,
> On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote:
>> according to Simon Kelly RFC 5011 is not sufficient for automatic DNSSEC key updates and will not be implemented in Dnsmasq (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg12448.html).
>> As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest to address this problem by discussing a suitable solution with Simon Kelly and the IETF workgroups.
> The message already describes the right solution. There is no work to be done here.
> Quoting from your URL: “anything running dnsmasq has net access, by definition, and really should have a method of doing automatic updates for security fixes, etc. As such it has a method of authentication put in place by the software providers, and that is the best way to update the root key.”

The only SoHo routers in Germany doing automatic firmware updates (5 years) are the AVM Fritz!Boxes. All other routers need manual firmware updates. Cheap 20,- € routers get one manual firmware update at best.

Which KSK update mechanism should that sale-and-forget vendors use?



More information about the ksk-rollover mailing list