Date: Wed, 23 Jul 2008 15:49:32 +0200 From: Ruben van Staveren <ruben@verweg.com> To: Paul Schmehl <pschmehl_lists_nada@tx.rr.com> Cc: Mark Andrews <Mark_Andrews@isc.org>, freebsd-stable@freebsd.org, Doug Barton <dougb@freebsd.org> Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <75D115D6-6B38-4A32-AC39-CA5081A5B2A1@verweg.com> In-Reply-To: <616A73D0F163394E96936E69@Macintosh.local> References: <200807230046.m6N0khvt008606@drugs.dv.isc.org> <616A73D0F163394E96936E69@Macintosh.local>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-85-143088124 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On 23 Jul 2008, at 4:18, Paul Schmehl wrote: >> >> WRONG. >> >> You need to re-sign the zone an expire period before the >> signatures expire. You need to generate new keys periodically >> but no where near every 30 days. >> > > OK. I misspoke. I got the 30 days from Andrew Clegg's presentation > and confused keys with signatures. But still, you have to resign > *every* zone every 30 days. Don't forget to bump the zone serial too... as your secondaries will not catch up otherwise and start serving expired RRSIG's, leaving your zone dead in the water. - R --Apple-Mail-85-143088124 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFIhzbtZ88+mcQxRw0RAsbPAJ47H0rtZp4MvRPF3GWge2X8ZPOq7QCcDDJC Nc6HHFLKC09rbjtPxh2VBwY= =p1mb -----END PGP SIGNATURE----- --Apple-Mail-85-143088124--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75D115D6-6B38-4A32-AC39-CA5081A5B2A1>