Discussion:
DNSSEC key rollover today
Add Reply
Dave Taht
2018-10-11 14:33:35 UTC
Reply
Permalink
if any of you are still using cerowrt, and dnssec, it's gonna break
unless you update this, or disable dnssec... I do not know if the new
key was in openwrt 18.06 either...

http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
--
Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
Mikael Abrahamsson
2018-10-12 06:54:46 UTC
Reply
Permalink
Post by Dave Taht
if any of you are still using cerowrt, and dnssec, it's gonna break
unless you update this, or disable dnssec... I do not know if the new
key was in openwrt 18.06 either...
http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
Just as an operational concern, if you have an old image of something (pre
mid 2017) that doesn't have the new key, it's not going to be able to
download the new key using the old key, as of today.

Any old install might have the key update function implemented and might
have the new key, but as soon as you re-install and the new key is not
there anymore, it'll stop working.

A DNSSEC validating device needs to have functionality to get the root key
somehow and keep it updated. Otherwise it's better to just not validate at
all if one cares about operational availability of the service.
--
Mikael Abrahamsson email: ***@swm.pp.se
Dave Taht
2018-10-14 15:55:39 UTC
Reply
Permalink
at least from where I sit, it looks like it went well.
Post by Mikael Abrahamsson
Post by Dave Taht
if any of you are still using cerowrt, and dnssec, it's gonna break
unless you update this, or disable dnssec... I do not know if the new
key was in openwrt 18.06 either...
http://www.circleid.com/posts/20181005_how_to_prepare_for_dnssec_root_ksk_rollover_on_october_11_2018/
Just as an operational concern, if you have an old image of something (pre
mid 2017) that doesn't have the new key, it's not going to be able to
download the new key using the old key, as of today.
Any old install might have the key update function implemented and might
have the new key, but as soon as you re-install and the new key is not
there anymore, it'll stop working.
A DNSSEC validating device needs to have functionality to get the root key
somehow and keep it updated. Otherwise it's better to just not validate at
all if one cares about operational availability of the service.
--
--
Dave Täht
CTO, TekLibre, LLC
http://www.teklibre.com
Tel: 1-831-205-9740
Loading...