[ksk-rollover] new ksk and DNS software vendors

manu tman chantr4 at gmail.com
Thu Mar 28 16:16:17 UTC 2019


On Thu, Mar 28, 2019 at 4:58 PM David Conrad <david.conrad at icann.org> wrote:

> Hi,
>
> On Mar 28, 2019, at 7:39 AM, manu tman <chantr4 at gmail.com> wrote:
>
> The update will apply uniformly to all DNS softwares shipped by the
> distros, there is no need to rebuild/recompile anything which involves DNS
> softwares, the package is pretty trivial to update and assuming 4 major OSS
> DNS softwares, overhead drops by 3/4, or even close to 0 if some form of
> automation is put in place.
>
>
> I suspect the most common resolvers on the Internet today are either
> Microsoft DNS or some version of DNSMasq. Have those vendors weighed in on
> the triviality of update of their installed base?
>
> Thanks David,

Fair point. I suppose Microsoft can handle software updates, for DNSMasq
within common distros I don't think it could not be handled the same way,
or at least does not seem impossible. Same for systemd-resolved.

There will definitely be other cases, like the year-on-a-shelf devices, but
I guess this is a different problem. On the assumption that there is
software continuity, this mechanism could be a way to relatively quickly
push security updates.

There were also some discussions around how to deal with the devices that
spent a year on a shelf. I suppose one way out is that if such machine
could not update resolve dns because the keys are outdated, it would need
to perform a non-validating query and get it off IANA website or other
pre-set vendor websites that mirrors the keys and rely on SSL cert. But
that could open a window to install the wrong keys.
Update continuity and bootstrapping outdated software will most likely end
up having different solutions.

Manu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190328/ad4fdeee/attachment.html>


More information about the ksk-rollover mailing list