Hi,
by default in the Debian/Ubuntu package it looks like this:
root@sirius:~# dpkg -l | fgrep dnsmasq
ii dnsmasq 2.79-1 all
Small caching DNS proxy and DHCP/TFTP server
ii dnsmasq-base 2.79-1
amd64 Small caching DNS proxy and DHCP/TFTP server
ii dnsmasq-utils 2.79-1
amd64 Utilities for manipulating DHCP leases
The new anchor was included long ago:
root@sirius:~# cat /usr/share/dnsmasq-base/trust-anchors.conf
# The root DNSSEC trust anchor, valid as at 10/02/2017
# Note that this is a DS record (ie a hash of the root Zone Signing Key)
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml
trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
(this is shipped with the above mentioned “dnsmasq-base” package).
In the default config file of dnsmasq, there is this line:
root@sirius:/etc# cat dnsmasq.conf.dpkg-dist | fgrep trust
#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf
So everything is there to configure it correctly. By default DNSSEC is not
enabled anyways, but a user who wants to enable it can easily do it by
uncommenting and fixing the above path. IMHO, it could be improved in the
debian package to have the correct path in the default file (instead of
%%PREFIX%%). This looks like a bug in the debian package installer.
Uwe
-----
Uwe Schindler
Achterdiek 19, D-28357 Bremen
http://www.thetaphi.de <http://www.thetaphi.de/>
eMail: [email protected]
From: Dnsmasq-discuss <[email protected]> On
Behalf Of Neil Jerram
Sent: Monday, October 8, 2018 12:19 PM
To: [email protected]
Cc: dnsmasq-discuss <[email protected]>
Subject: Re: [Dnsmasq-discuss] Ready for dnssec key signing key rollover on Oct
11?
On Sun, Oct 7, 2018 at 12:05 PM Loganaden Velvindron <[email protected]
<mailto:[email protected]> > wrote:
On Sun, Oct 7, 2018 at 2:13 PM Rick Thomas <[email protected]
<mailto:[email protected]> > wrote:
>
> What do I need to do to be ready for the DNSSEC Root KSK (key signing key)
> rollover on October 11, 2018?
>
Well, dnsmasq already commited a patch for the new trust anchor :
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59
I was also looking into this last week, and would appreciate if anyone wanted
to review and confirm or correct my observations.
If I've understood correctly:
- An installation of dnsmasq can only possibly be impacted by the KSK rollover
if it
- was built with HAVE_DNSSEC enabled; AND
- is configured (--dnssec) to use DNSSEC at runtime; AND
- is actually used as a DNS server / forwarder.
- There is no cross-dependency between DNSSEC and dnsmasq's DHCP and RA
function. So if you're mainly using dnsmasq for DHCP and RA, as OpenStack
does, that function can't be degraded by not having installed or configured the
new DNSSEC KSK.
- While it is true that the dnsmasq repo has included the new KSK fingerprint
since February 2017 (as in the commit cited above), I couldn't see anything
hardcoded in the dnsmasq code to read and use the content of
trust-anchors.conf. So, even if you have that file in your dnsmasq install,
and it includes the new KSK fingerprint, I _think_ you still need to configure
dnsmasq somehow to read that file and trust the fingerprints in it (presumably
at the same time as you'd configure --dnssec).
Any comments much appreciated.
Neil
_______________________________________________
Dnsmasq-discuss mailing list
[email protected]
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
