Date: Tue, 22 Jul 2008 14:49:25 -0700 From: "Kevin Oberman" <oberman@es.net> To: Paul Schmehl <pschmehl@tx.rr.com> Cc: Doug Barton <dougb@FreeBSD.org>, freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080722214925.390584500E@ptavv.es.net> In-Reply-To: Your message of "Tue, 22 Jul 2008 15:30:53 CDT." <9C1F9AB0E0CD3034CA691A30@utd65257.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_1216763365_66746P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Date: Tue, 22 Jul 2008 15:30:53 -0500 > From: Paul Schmehl <pschmehl_lists@tx.rr.com> > > --On Tuesday, July 22, 2008 13:07:20 -0700 Kevin Oberman <oberman@es.net> wrote: > > > >> Once you implement DNSSEC you *must* generate keys every 30 days. So, > >> I think, if you're going to enable it by default, there needs to be a > >> script in periodic that will do all the magic to change keys every 30 > >> days. Maybe put vars in /etc/rc.conf to override the default key > >> lengths and other portions of the commands that could change per > >> installation. > > > > No, you don't HAVE to generate keys every 30 days, but you should if you > > want real security. > > For me that means must. :-) > > Someone needs to write a really good tutorial on dnssec. The bits and > pieces are scattered about the web, but explanations of now to publish > your keys, to whom they need to be published and what is involved in > the ongoing maintenance are lacking. Especially a clear explanation > of what is required to run both keyed and "legacy" dns at the same > time. I can't imagine why anyone would want to run both. Resolvers which don't know how to check signatures simple don't do so and everything still works. A pretty good, though somewhat outdated tutorial can be found in NIST SP800-81. It's pretty readable and tells you how to generate keys and sign a zone properly. http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf > > Still, for a while, until the infrastructure is > > complete enough to make DNSSEC really of value to the end user, just > > getting signed domains with keys published in an easily accessed place > > is at least getting things started and getting the infrastructure > > moving. > > > > Where do you publish the keys? I have not done so at this time. We have a DNS system that does not quite support DNSSEC, although that should be resolved shortly. NIST simply puts theirs on a web page. This is not a good long-term answer, but is adequate for growing the infrastructure and letting people play with it. DNSSEC really needs to be ready now, but it's simply not, so we need to get some sort of start and more experience in using it. I have a test server that is signed and that I am playing with and I hope that I will be able to sign our production zones in the next few months. Our plan is to buy a network appliance to do the key generation, signing and key rolls. > > Rolling keys is a rather tricky operation where mistakes, once DNSSEC > > makes it to the end user, would be disastrous, so it would require a > > couple of scripts, one to set a new key and another to remove the old > > one. You need both key present for a period of time. > > > > I'd not read that. Can you explain? I thought you simply overwrote > the existing keys with the new ones (in the zone file.) In fact I was > thinking that an $INCLUDE would make a great deal more sense. I > didn't realize you had to retain the old keys for a while. That > complicates matters significantly. Since data in cached, you can't simply replace the key and not have failures when the cached old keys are used to try to verify newly received data. You need to have the old key remain valid for the length of your longest TTL. Note: I am not a DNSSEC expert at all. I have been "playing" with it for over a year, but have been unable to actually use it in production because of our DNS management software which does not support DNSSEC. Hopefully everything I said is correct, but it would be best to verify things before basing much on it. > BTW, I think without those scripts (or at least examples) you'll find > adoption will be a great deal slower. Many people that need to run > dns are far from experts and often intimidated by its complexity - > especially the complexity of dnssec. I completely agree that you are right. DNSSEC is not trivial to manage and, while managing it does not require any detailed knowledge of how it works, it does take careful planning and some education for those who will be working with it. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 --==_Exmh_1216763365_66746P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Exmh version 2.5 06/03/2002 iD8DBQFIhlXlkn3rs5h7N1ERAhgUAJsGxQYgMRjy683zs/5RlgQje4miMACfZbqj CQmYPIyIyJZRg7MXrS7T1JY= =DNUE -----END PGP SIGNATURE----- --==_Exmh_1216763365_66746P--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080722214925.390584500E>