On Mon, Sep 03, 2018 at 05:18:41PM +0200, Santiago R.R. wrote: > Source: dnsmasq > Version: 2.72-3+deb8u2 > Severity: important > Tags: patch > > Hi Simon, > > The DNS Root Key Signing Key (KSK) Rollover is scheduled for 11 October > 2018 [1]. After this date, DNS resolvers will need to have the new key > (KSK-2017) to perform DNSSEC validation. > > [1] https://www.icann.org/news/announcement-2018-08-22-en > > AFAICS, dnsmasq in stretch and jessie [2] currently lacks the new key, > and unless the dns-root-data package is additionally installed, users > relying on dnsmasq for DNS resolution may encounter problems once the > rollover occurs. > > [2] https://sources.debian.org/src/dnsmasq/2.76-5+deb9u1/trust-anchors.conf/ > https://sources.debian.org/src/dnsmasq/2.72-3+deb8u2/trust-anchors.conf/ > > I think cherry-picking the commit [3] should prevent this in both > suites. > > [3] > http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=05da782f8f45933915af0ef3cc1ba35e31d20c59 > > Would you agree on this change, and, would you like to prepare the > uploads by yourself? > > I am CCing the security team to have their opinion, whether this should > be handled via a security or a stable upload in stretch.
Previous updates of DNS root keys have all been handled via stretch-updates, e.g. https://lists.debian.org/debian-stable-announce/2017/09/msg00000.html Cheers, Moritz
