RFC 5011 will not be implemented in Dnsmasq
Hi, according to Simon Kelly RFC 5011 is not sufficient for automatic DNSSEC key updates and will not be implemented in Dnsmasq (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg1244...). As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest to address this problem by discussing a suitable solution with Simon Kelly and the IETF workgroups. Regards, Renne
Hello, On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote:
according to Simon Kelly RFC 5011 is not sufficient for automatic DNSSEC key updates and will not be implemented in Dnsmasq (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg1244...).
As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest to address this problem by discussing a suitable solution with Simon Kelly and the IETF workgroups.
The message already describes the right solution. There is no work to be done here. Quoting from your URL: “anything running dnsmasq has net access, by definition, and really should have a method of doing automatic updates for security fixes, etc. As such it has a method of authentication put in place by the software providers, and that is the best way to update the root key.” Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/
Moin! On 7 Jan 2019, at 15:29, Peter van Dijk wrote:
Hello,
On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote:
according to Simon Kelly RFC 5011 is not sufficient for automatic DNSSEC key updates and will not be implemented in Dnsmasq (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg1244...).
As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest to address this problem by discussing a suitable solution with Simon Kelly and the IETF workgroups.
The message already describes the right solution. There is no work to be done here. Well we should make sure that we publish the new root key (not necessarily in DNS), and use it in updated software as soon as possible as it increases the likelihood of an upgrade between publishing and usage of the key.
I think most of the software vendors that use RFC5011 still supply the latest root key in the distribution. So long -Ralf —-- Ralf Weber
Peter van Dijk <peter.van.dijk@powerdns.com> wrote:
The message already describes the right solution. There is no work to be done here.
Yes, from the protocol point of view. What is still to do is determining how root key rollovers will be handled in the future, i.e. when (how frequently) keys are generated, when public keys are promulgated out of band, when they appear in the root zone, etc. usw. [I favour annual rollovers, with keys generated and promulgated out of band a few years in advance, and at most two KSKs in the root zone at any time.] Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ East Sole, Lundy, Fastnet: Westerly veering northwesterly later, 5 or 6. Moderate, occasionally slight. Drizzle for a time. Good, occasionally moderate.
Am 07.01.19 um 15:29 schrieb Peter van Dijk:
Hello,
On 7 Jan 2019, at 15:04, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover wrote:
according to Simon Kelly RFC 5011 is not sufficient for automatic DNSSEC key updates and will not be implemented in Dnsmasq (https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/msg1244...).
As the majority of SoHo routers uses Dnsmasq as DNS resolver I suggest to address this problem by discussing a suitable solution with Simon Kelly and the IETF workgroups.
The message already describes the right solution. There is no work to be done here.
Quoting from your URL: “anything running dnsmasq has net access, by definition, and really should have a method of doing automatic updates for security fixes, etc. As such it has a method of authentication put in place by the software providers, and that is the best way to update the root key.”
The only SoHo routers in Germany doing automatic firmware updates (5 years) are the AVM Fritz!Boxes. All other routers need manual firmware updates. Cheap 20,- € routers get one manual firmware update at best. Which KSK update mechanism should that sale-and-forget vendors use? Regards, Renne
On Mon, 7 Jan 2019 at 13:15, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org> wrote:
The only SoHo routers in Germany doing automatic firmware updates (5 years) are the AVM Fritz!Boxes. All other routers need manual firmware updates. Cheap 20,- € routers get one manual firmware update at best.
Which KSK update mechanism should that sale-and-forget vendors use?
That is a broken business model which, if they are doing DNSSEC validation, will result in broken routers (on top of the security vulnerabilities they open their customers to). I suspect that's going to affect their bottom line.
Am 07.01.19 um 19:18 schrieb Matthew Pounsett:
On Mon, 7 Jan 2019 at 13:15, Rene 'Renne' Bartsch, B.Sc. Informatics via ksk-rollover <ksk-rollover@icann.org <mailto:ksk-rollover@icann.org>> wrote:
The only SoHo routers in Germany doing automatic firmware updates (5 years) are the AVM Fritz!Boxes. All other routers need manual firmware updates. Cheap 20,- € routers get one manual firmware update at best.
Which KSK update mechanism should that sale-and-forget vendors use?
That is a broken business model which, if they are doing DNSSEC validation, will result in broken routers (on top of the security vulnerabilities they open their customers to). I suspect that's going to affect their bottom line.
I agree with the broken business model. That business model outbrakes DNSSEC. Sale-and-forget vendors tend to ignore DNSSEC. Even the expensive AVM Fritz!Boxes don't do DNSSEC validation. Regards, Renne
Am 07.01.19 um 19:18 schrieb Matthew Pounsett:
That is a broken business model which, if they are doing DNSSEC validation, will result in broken routers (on top of the security vulnerabilities they open their customers to). I suspect that's going to affect their bottom line.
Renne:
I agree with the broken business model. That business model outbrakes DNSSEC. Sale-and-forget vendors tend to ignore DNSSEC. Even the expensive AVM Fritz!Boxes don't do DNSSEC validation.
Unforutnately the business model isn't broken at all - if you see it as exactly that: a BUSINESS model. The box stops working, it gets tossed. The user buys a new one that works. Instead of having to handle expensive software updates, the vendor gets increased sales. What is there not to like? (From the vendor's standpoint, that is). Users have come to accept this as normal. I just tossed 5-8 perfectly working old pieces of CPE-like equipment in the city dump this weekend. I know they will never be safe. There is nothing I can do. My car inspector's words (regarding cars, but they are equally valid here) ring in my ears: "In the old days, they built cars to be as good as they were able to, now they build them as bad as they dare." (Slightly lacking translation, but you get it ...) Cheers, /Liman -- #---------------------------------------------------------------------- # Lars-Johan Liman, M.Sc. ! E-mail: liman@netnod.se # Senior Systems Specialist ! Tel: +46 8 - 562 860 12 # Netnod Internet Exchange, Stockholm ! http://www.netnod.se/ #----------------------------------------------------------------------
On Tue, 8 Jan 2019 at 09:42, Lars-Johan Liman <liman@netnod.se> wrote:
Unforutnately the business model isn't broken at all - if you see it as exactly that: a BUSINESS model. The box stops working, it gets tossed. The user buys a new one that works.
Perhaps I'm overly optimistic, but I suspect that the next one the customer buys isn't going to be from the same manufacturer. And, there will probably be conversations along the lines of: "I need to get a new wifi router." "Don't buy an X one.. mine stopped working after a year." If the customer is slightly more savvy than usual, that might continue with: "I googled ways to fix it and found someone who said they didn't support some important thing. I found this other company that makes one that will support it."
Am 12.01.19 um 20:30 schrieb Matthew Pounsett:
Perhaps I'm overly optimistic, but I suspect that the next one the customer buys isn't going to be from the same manufacturer. And, there will probably be conversations along the lines of: "I need to get a new wifi router." "Don't buy an X one.. mine stopped working after a year."
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." Albert Einstein and Fritz Perls ;-)
participants (6)
-
Lars-Johan Liman -
Matthew Pounsett -
Peter van Dijk -
Ralf Weber -
Rene 'Renne' Bartsch, B.Sc. Informatics -
Tony Finch