Debian Security Advisory

DLA-1532-1 dnsmasq -- LTS security update

Date Reported:
04 Oct 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 907887.
More information:

dnsmasq, a DNS forwarder and DHCP server, ships the DNS Root Zone Key Signing Key (KSK), used as the DNSSEC trust anchor. ICANN will rollover the KSK in 11 October 2018, and DNS resolvers will need the new key (KSK-2017) to continue performing DNSSEC validation. This dnsmasq package update includes the latest key to prevent issues in scenarios where dnsmasq runs with DNSSEC enabled and it is using the trusted anchors file shipped with the package. Please note this is not the default configuration in Debian.

For Debian 8 Jessie, this problem has been fixed in version 2.72-3+deb8u4.

We recommend that you upgrade your dnsmasq packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: