Web lists-archives.com

Re: DNS Key rollover




On Oct 4, 2018, at 11:32 AM, Reco <recoverym4n@xxxxxxxxxxxx> wrote:

> On Thu, Oct 04, 2018 at 02:15:52PM -0400, Default User wrote:
>> Hi, Henning.
>> 
>> I am running Unstable, with 4.18.0-2 amd-64 kernel, all updated.
>> 
>> I don't know anything about bind. How do I know what bind version I am
>> running, and if I need to do anything regarding the change you mentioned?
> 
> Stretch's bind has this public part of root's KSK:
> 
> # grep -A2 20326 /etc/bind/bind.keys
>        # This key (20326) is to be published in the root zone in 2017.
>        # Servers which were already using the old key (19036) should
>        # roll seamlessly to this new one via RFC 5011 rollover. Servers
> 
> If you have the same - there's nothing to do.
> If you don't - DNSSEC will stop working for you in seven days.
> If you do not use BIND - there's nothing to do.
> 
> Reco

How about if I’m using dnsmasq? I’m running a more or less stock stretch with dnsmasq and this is what I see when I go looking for trust-anchors:

 cat /usr/share/dnsmasq-base/trust-anchors.conf
# The root DNSSEC trust anchor, valid as at 30/01/2014

# Note that this is a DS record (ie a hash of the root Zone Signing Key) 
# If was downloaded from https://data.iana.org/root-anchors/root-anchors.xml

trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5


Which, IIUC, says it’s using root trust anchor ID 19036 extracted on Jan 30, 2014, not ID 20326 extracted any time in the last 12 months.

Is there an update I have missed applying?

Thanks!
Rick