Source: dnsmasq
Version: 2.72-3+deb8u2
Severity: important
Tags: patch
Hi Simon,
The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October
2018 [1]. After this date, DNS resolvers will need to have the new key
(KSK-2017) to perform DNSSEC validation.
[1] https://www.icann.org/news/announcement-2018-08-22-en
AFAICS, dnsmasq in stretch and jessie [2] currently lacks the new key,
and unless the dns-root-data package is additionally installed, users
relying on dnsmasq for DNS resolution may encounter problems once the
rollover occurs.
[2] https://sources.debian.org/src/dnsmasq/2.76-5+deb9u1/trust-anchors.conf/
https://sources.debian.org/src/dnsmasq/2.72-3+deb8u2/trust-anchors.conf/
I think cherry-picking the commit [3] should prevent this in both
suites.
[3] http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59
Would you agree on this change, and, would you like to prepare the
uploads by yourself?
I am CCing the security team to have their opinion, whether this should
be handled via a security or a stable upload in stretch.
Concerning jessie, following the LTS workflow is required:
https://wiki.debian.org/LTS/Development
If that LTS workflow is a burden for you, a member of the LTS team could
take care of it.
Best regards,
-- Santiago
P.S. The hypothetical upload could also fix CVE-2017-15107 [3] ?
[3] https://security-tracker.debian.org/tracker/CVE-2017-15107
Attachment:
signature.asc
Description: PGP signature