[ksk-rollover] RFC 5011 will not be implemented in Dnsmasq
Peter van Dijk
peter.van.dijk at powerdns.com
Mon Jan 7 14:29:38 UTC 2019
Hello,
On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via
ksk-rollover wrote:
> according to Simon Kelly RFC 5011 is not sufficient for automatic
> DNSSEC key updates and will not be implemented in Dnsmasq
> (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg12448.html).
>
> As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest
> to address this problem by discussing a suitable solution with Simon
> Kelly and the IETF workgroups.
The message already describes the right solution. There is no work to be
done here.
Quoting from your URL: “anything running dnsmasq has net access, by
definition, and really should have a method of doing automatic updates
for security fixes, etc. As such it has a method of authentication put
in place by the software providers, and that is the best way to update
the root key.”
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the ksk-rollover
mailing list