Moin! On 7 Jan 2019, at 15:29, Peter van Dijk wrote:
Hello,
On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote:
according to Simon Kelly RFC 5011 is not sufficient for automatic DNSSEC key updates and will not be implemented in Dnsmasq (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg1244...).
As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest to address this problem by discussing a suitable solution with Simon Kelly and the IETF workgroups.
The message already describes the right solution. There is no work to be done here. Well we should make sure that we publish the new root key (not necessarily in DNS), and use it in updated software as soon as possible as it increases the likelihood of an upgrade between publishing and usage of the key.
I think most of the software vendors that use RFC5011 still supply the latest root key in the distribution. So long -Ralf —-- Ralf Weber