Date: Wed, 23 Jul 2008 09:32:47 +0200 From: Erwan David <erwan@rail.eu.org> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <20080723073247.GJ308@rail.eu.org> In-Reply-To: <200807230725.m6N7PlZJ035859@drugs.dv.isc.org> References: <616A73D0F163394E96936E69@Macintosh.local> <200807230725.m6N7PlZJ035859@drugs.dv.isc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Wed 23/07/2008, Mark Andrews disait > > To roll a key signing key. Add the key at a weekly signing. > Wait for the DNSKEY RRset TTL to expire. Send the new > DS/DLV records for the new keys to the parent/DLV operator. > Once the updated parent / DLV operator has updated the > DS/DLV RRset wait for the old TTL to expire. Remove the > old key signing key at your discression. Normally you > would do this at the next weekly signing. This proceedure > requires one interaction with the parent/dlv operator during > the rollover. > > Note this is not much different than what is required when > changing a nameservers. But changing nameserver is an exceptional operation. Nobody wants the burden of an exceptional operation to come back regularly. -- Erwan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080723073247.GJ308>