Web lists-archives.com

Re: DNS Key rollover for dnsmasq [SOLVED}

Hi there

On 07/10/2018 12:36, Eduardo M KALINOWSKI wrote:

On 07-10-2018 07:11, Rick Thomas wrote:
On further study, it seems that (in Debian Stretch, at least) the root KSK’s used by dnsmasq are taken from the file /usr/share/dns/root.ds, which is provided by the package dns-root-data; and that package seems to be part of the standard Stretch installation.  That file lists both keys (the new “20326” and the old “19036”). So it’s all set to go.  No need to panic…  (-:

Where did you get that information from? I found nothing about
dns-root-data in dnsmasq package.

It depends on dnsmasq-base, which recommends dns-root-data.
Stretch bind9 does not depend on dns-root-data. Backports does.

I'd just add a new trust-anchor to the configuration. Just copy and
paste from https://github.com/imp/dnsmasq/blob/master/trust-anchors.conf