[ksk-rollover] new ksk and DNS software vendors

Michael Richardson mcr+ietf at sandelman.ca
Sat Mar 30 16:37:49 UTC 2019

manu tman <chantr4 at gmail.com> wrote:
    >     I suspect the most common resolvers on the Internet today are
    > either Microsoft DNS or some version of DNSMasq. Have those vendors
    > weighed in on the triviality of update of their installed base?

Definitely dnsmasq.

    > There will definitely be other cases, like the year-on-a-shelf devices,
    > but I guess this is a different problem.

I don't think it's really a different problem.
Resolvers that are turned on all the time could use 5011 if they wanted.
A "rfc5011d" could dpkg-divert the TAs and update them at the right time.

    > There were also some discussions around how to deal with the devices
    > that spent a year on a shelf. I suppose one way out is that if such
    > machine could not update resolve dns because the keys are outdated, it
    > would need to perform a non-validating query and get it off IANA
    > website or other pre-set vendor websites that mirrors the keys and rely
    > on SSL cert. But that could open a window to install the wrong keys.
    > Update continuity and bootstrapping outdated software will most likely
    > end up having different solutions.

Yes, it does open up windows of vulnerability, and it seems like forcing
someone to open that window would be relatively easy. "Did you try turning it
off and on?"-type support often then becomes "factory reset it"...

Factory resetting a home router might also wipe out rfc5011 updates too.

So I'd really like to solve this problem, and if we do, then it makes the
distro-update-package way of getting TAs much less critical.

]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [ 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190330/746215e8/signature.asc>

More information about the ksk-rollover mailing list