Date: Wed, 23 Jul 2008 15:49:32 +0200 From: Ruben van Staveren <ruben@verweg.com> To: Paul Schmehl <pschmehl_lists_nada@tx.rr.com> Cc: Mark Andrews <Mark_Andrews@isc.org>, freebsd-stable@freebsd.org, Doug Barton <dougb@freebsd.org> Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <75D115D6-6B38-4A32-AC39-CA5081A5B2A1@verweg.com> In-Reply-To: <616A73D0F163394E96936E69@Macintosh.local> References: <200807230046.m6N0khvt008606@drugs.dv.isc.org> <616A73D0F163394E96936E69@Macintosh.local>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 23 Jul 2008, at 4:18, Paul Schmehl wrote: >> >> WRONG. >> >> You need to re-sign the zone an expire period before the >> signatures expire. You need to generate new keys periodically >> but no where near every 30 days. >> > > OK. I misspoke. I got the 30 days from Andrew Clegg's presentation > and confused keys with signatures. But still, you have to resign > *every* zone every 30 days. Don't forget to bump the zone serial too... as your secondaries will not catch up otherwise and start serving expired RRSIG's, leaving your zone dead in the water. - R [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFIhzbtZ88+mcQxRw0RAsbPAJ47H0rtZp4MvRPF3GWge2X8ZPOq7QCcDDJC Nc6HHFLKC09rbjtPxh2VBwY= =p1mb -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75D115D6-6B38-4A32-AC39-CA5081A5B2A1>