[Cerowrt-devel] DNSSEC key rollover today

Mikael Abrahamsson swmike at swm.pp.se
Fri Oct 12 02:54:46 EDT 2018

On Thu, 11 Oct 2018, Dave Taht wrote:

> if any of you are still using cerowrt, and dnssec, it's gonna break
> unless you update this, or disable dnssec... I do not know if the new
> key was in openwrt 18.06 either...
> http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/

Just as an operational concern, if you have an old image of something (pre 
mid 2017) that doesn't have the new key, it's not going to be able to 
download the new key using the old key, as of today.

Any old install might have the key update function implemented and might 
have the new key, but as soon as you re-install and the new key is not 
there anymore, it'll stop working.

A DNSSEC validating device needs to have functionality to get the root key 
somehow and keep it updated. Otherwise it's better to just not validate at 
all if one cares about operational availability of the service.

Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the Cerowrt-devel mailing list