FreeBSD 7.1 and BIND exploit
Mark Andrews
Mark_Andrews at isc.org
Wed Jul 23 07:56:52 UTC 2008
> Le Wed 23/07/2008, Mark Andrews disait
> >
> > To roll a key signing key. Add the key at a weekly signing.
> > Wait for the DNSKEY RRset TTL to expire. Send the new
> > DS/DLV records for the new keys to the parent/DLV operator.
> > Once the updated parent / DLV operator has updated the
> > DS/DLV RRset wait for the old TTL to expire. Remove the
> > old key signing key at your discression. Normally you
> > would do this at the next weekly signing. This proceedure
> > requires one interaction with the parent/dlv operator during
> > the rollover.
> >
> > Note this is not much different than what is required when
> > changing a nameservers.
>
> But changing nameserver is an exceptional operation. Nobody wants the burden
> of an exceptional operation to come back regularly.
KSK changes should be approximately annual which is short enough
not to forget but long enough to not be a burden.
> --
> Erwan
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the freebsd-stable
mailing list