[Cerowrt-devel] DNSSEC key rollover today
Mikael Abrahamsson
swmike at swm.pp.se
Fri Oct 12 02:54:46 EDT 2018
On Thu, 11 Oct 2018, Dave Taht wrote:
> if any of you are still using cerowrt, and dnssec, it's gonna break
> unless you update this, or disable dnssec... I do not know if the new
> key was in openwrt 18.06 either...
>
> http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
Just as an operational concern, if you have an old image of something (pre
mid 2017) that doesn't have the new key, it's not going to be able to
download the new key using the old key, as of today.
Any old install might have the key update function implemented and might
have the new key, but as soon as you re-install and the new key is not
there anymore, it'll stop working.
A DNSSEC validating device needs to have functionality to get the root key
somehow and keep it updated. Otherwise it's better to just not validate at
all if one cares about operational availability of the service.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the Cerowrt-devel
mailing list