From owner-freebsd-stable@FreeBSD.ORG  Wed Jul 23 07:50:56 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 621351065688
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 07:50:56 +0000 (UTC)
	(envelope-from erwan@rail.eu.org)
Received: from depot.rail.eu.org (bievres.rail.eu.org [82.227.34.188])
	by mx1.freebsd.org (Postfix) with ESMTP id 27EC58FC46
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 07:50:55 +0000 (UTC)
	(envelope-from erwan@rail.eu.org)
Received: from depot.rail.eu.org (localhost [127.0.0.1])
	by depot.rail.eu.org (Postfix) with ESMTP id 4E98081BC05
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 09:32:49 +0200 (CEST)
Received: from ratagaz.local (pot44-1-88-172-64-250.fbx.proxad.net
	[88.172.64.250])
	by depot.rail.eu.org (Postfix) with ESMTPSA id 2470E81BC04
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 09:32:49 +0200 (CEST)
Received: by ratagaz.local (Postfix, from userid 501)
	id B04C0BA35BC; Wed, 23 Jul 2008 09:32:47 +0200 (CEST)
Date: Wed, 23 Jul 2008 09:32:47 +0200
From: Erwan David <erwan@rail.eu.org>
To: freebsd-stable@freebsd.org
Message-ID: <20080723073247.GJ308@rail.eu.org>
Mail-Followup-To: freebsd-stable@freebsd.org
References: <616A73D0F163394E96936E69@Macintosh.local>
	<200807230725.m6N7PlZJ035859@drugs.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200807230725.m6N7PlZJ035859@drugs.dv.isc.org>
X-Republicain: 5 thermidor an CCXVI =?iso-8859-1?B?KELp?=
	=?iso-8859-1?Q?lier=29?=
User-Agent: Mutt/1.5.17 (2007-11-01)
Subject: Re: FreeBSD 7.1 and BIND exploit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2008 07:50:56 -0000

Le Wed 23/07/2008, Mark Andrews disait
> 
> 	To roll a key signing key.  Add the key at a weekly signing.
> 	Wait for the DNSKEY RRset TTL to expire.  Send the new
> 	DS/DLV records for the new keys to the parent/DLV operator.
> 	Once the updated parent / DLV operator has updated  the
> 	DS/DLV RRset wait for the old TTL to expire.  Remove the
> 	old key signing key at your discression.  Normally you
> 	would do this at the next weekly signing.  This proceedure
> 	requires one interaction with the parent/dlv operator during
> 	the rollover.
> 
> 	Note this is not much different than what is required when
> 	changing a nameservers.

But changing nameserver is an exceptional operation. Nobody wants the burden of an exceptional operation to come back regularly.

-- 
Erwan