From owner-freebsd-stable@FreeBSD.ORG Wed Jul 23 13:39:16 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 198491065671 for ; Wed, 23 Jul 2008 13:39:16 +0000 (UTC) (envelope-from ruben@verweg.com) Received: from erg.verweg.com (erg.verweg.com [217.77.141.129]) by mx1.freebsd.org (Postfix) with ESMTP id A849D8FC13 for ; Wed, 23 Jul 2008 13:39:15 +0000 (UTC) (envelope-from ruben@verweg.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verweg.com; s=verweg; t=1216820349; bh=UKPuJ6LlXY4nFQqf0sEqJGP8u7za+l/1puw+lLT7/B8=; h=Cc:Message-Id:From:To:In-Reply-To:Content-Type: Content-Transfer-Encoding:Mime-Version:Subject:Date:References: X-Pgp-Agent:X-Mailer; b=P/xQjF+SzCAkaqx06Xm7qPUlkhVSSTlfaVyFATOoVF yAvc4qlJPVgYE7ylbaY9D6sbs8Aj3+V9SmRZuODG87tUZNxuy9CySZDQCnVY0hcumD+ wVencb5SR27N/VHyf2s3d7MlJ9Y2X/QUEyUldB7Cz/g/5xeB4I8+oSDtGgRxfM= Received: from [IPv6:::1] (chimp.ripe.net [193.0.1.199]) (authenticated bits=0) by erg.verweg.com (8.14.2/8.14.2) with ESMTP id m6NDd1xT040357 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 23 Jul 2008 13:39:09 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host chimp.ripe.net [193.0.1.199] claimed to be [IPv6:::1] Message-Id: <3200E316-1DD0-4B44-B7F6-CDFF689F00DB@verweg.com> From: Ruben van Staveren To: Kevin Oberman In-Reply-To: <20080722214925.390584500E@ptavv.es.net> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-84-142450675" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Wed, 23 Jul 2008 15:38:55 +0200 References: <20080722214925.390584500E@ptavv.es.net> X-Pgp-Agent: GPGMail d52 (v52, Leopard) X-Mailer: Apple Mail (2.926) X-Virus-Scanned: ClamAV 0.93/6805/Wed Apr 16 19:57:54 2008 on erg.verweg.com X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (erg.verweg.com [217.77.141.129]); Wed, 23 Jul 2008 13:39:10 +0000 (UTC) Cc: Doug Barton , freebsd-stable@freebsd.org, Paul Schmehl Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 13:39:16 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-84-142450675 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On 22 Jul 2008, at 23:49, Kevin Oberman wrote: >> Someone needs to write a really good tutorial on dnssec. The bits >> and >> pieces are scattered about the web, but explanations of now to >> publish >> your keys, to whom they need to be published and what is involved in >> the ongoing maintenance are lacking. Especially a clear explanation >> of what is required to run both keyed and "legacy" dns at the same >> time. Another piece of text can be found at http://www.nlnetlabs.nl/dnssec_howto/ > I can't imagine why anyone would want to run both. Resolvers which > don't > know how to check signatures simple don't do so and everything still > works. > > A pretty good, though somewhat outdated tutorial can be found in NIST > SP800-81. It's pretty readable and tells you how to generate keys and > sign a zone properly. > http://csrc.nist.gov/publications/nistpubs/800-81/SP800-81.pdf Regards, Ruben --Apple-Mail-84-142450675 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFIhzRvZ88+mcQxRw0RAt4cAJ9N5HB629dM7ib6sMu1doSsxOKJIACdFkQR 93Uuv3IMXxFlsoEadABeON0= =c0lW -----END PGP SIGNATURE----- --Apple-Mail-84-142450675--