DNSSEC-KSK update on Oct. 11. 2018


the ICANN board decided on sunday to publish the new DNSSEC-KSK on Oct. 11. 2018.

Will TurrisOS update the DNSSEC-KSK automagically via DNS?

Yes, it was ready a year ago when the roll was originally planned.

1 Like

Does the resolver in TurrisOS support automatic DNSSEC key-updates via DNS according to IETF RFC 5011?

there are various resolvers available in the TO repo.

Is about trust anchors and different than key signing keys (KSK) (used to cryptographically sign the Zone Signing Key (ZSK).

unbound resolver is compliant with IETF RFC 5011

Knot-resolver (default in Omnia) supports 5011 as well. The KSK roll can be followed by RFC 5011, but Turris chose to provide the root trust anchors as a packaged file (see the link above).

EDIT: to be clear, the root KSK roll is exactly about updating the root trust anchors, as the active root KSK makes the root of trust (either in DS or DNSKEY form).