[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: DNS Key rollover

On Oct 4, 2018, at 11:32 AM, Reco <recoverym4n@enotuniq.net> wrote:

> On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote:
>> Hi, Henning.
>> I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated.
>> I don't know anything about bind. How do I know what bind version I am
>> running, and if I need to do anything regarding the change you mentioned?
> Stretch's bind has this public part of root's KSK:
> # grep -A2 20326 /etc/bind/bind.keys
>        # This key (20326) is to be published in the root zone in 2017.
>        # Servers which were already using the old key (19036) should
>        # roll seamlessly to this new one via RFC 5011 rollover. Servers
> If you have the same - there's nothing to do.
> If you don't - DNSSEC will stop working for you in seven days.
> If you do not use BIND - there's nothing to do.
> Reco

How about if I’m using dnsmasq? I’m running a more or less stock stretch with dnsmasq and this is what I see when I go looking for trust-anchors:

 cat /usr/share/dnsmasq-base/trust-anchors.conf
# The root DNSSEC trust anchor, valid as at 30/01/2014

# Note that this is a DS record (ie a hash of the root Zone Signing Key) 
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml


Which, IIUC, says it’s using root trust anchor ID 19036 extracted on Jan 30, 2014, not ID 20326 extracted any time in the last 12 months.

Is there an update I have missed applying?


Reply to: