From owner-freebsd-stable@FreeBSD.ORG Wed Jul 23 13:49:46 2008 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A31E2106566C; Wed, 23 Jul 2008 13:49:46 +0000 (UTC) (envelope-from ruben@verweg.com) Received: from erg.verweg.com (erg.verweg.com [217.77.141.129]) by mx1.freebsd.org (Postfix) with ESMTP id 24ED68FC16; Wed, 23 Jul 2008 13:49:45 +0000 (UTC) (envelope-from ruben@verweg.com) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verweg.com; s=verweg; t=1216820984; bh=8WtTONhzkD3gLPxTTNV4AAOtokHNph2hc3kjcF8xcZA=; h=Cc:Message-Id:From:To:In-Reply-To:Content-Type: Content-Transfer-Encoding:Mime-Version:Subject:Date:References: X-Pgp-Agent:X-Mailer; b=qIi8sSw7rx45gZMcjRJ6HC7zB2yAqXu2ZvyhNVejnl x1e+A/Qs1KQdj26PQTiOgeCUHWitkDwJO96ZXdmCHyLa+g6h9QUzhHhKiB7pC8JxRZA QAE3oOQeuwM0akt4KwNxq4Q+aC0hqCgN3pOsBtrYrOAySREStYoyzmkEO4ACls= Received: from [IPv6:::1] (chimp.ripe.net [193.0.1.199]) (authenticated bits=0) by erg.verweg.com (8.14.2/8.14.2) with ESMTP id m6NDncH7086532 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 23 Jul 2008 13:49:44 GMT (envelope-from ruben@verweg.com) X-Authentication-Warning: erg.verweg.com: Host chimp.ripe.net [193.0.1.199] claimed to be [IPv6:::1] Message-Id: <75D115D6-6B38-4A32-AC39-CA5081A5B2A1@verweg.com> From: Ruben van Staveren To: Paul Schmehl In-Reply-To: <616A73D0F163394E96936E69@Macintosh.local> Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-85-143088124" Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v926) Date: Wed, 23 Jul 2008 15:49:32 +0200 References: <200807230046.m6N0khvt008606@drugs.dv.isc.org> <616A73D0F163394E96936E69@Macintosh.local> X-Pgp-Agent: GPGMail d52 (v52, Leopard) X-Mailer: Apple Mail (2.926) X-Virus-Scanned: ClamAV 0.93/6805/Wed Apr 16 19:57:54 2008 on erg.verweg.com X-Virus-Status: Clean X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-3.0 (erg.verweg.com [217.77.141.129]); Wed, 23 Jul 2008 13:49:44 +0000 (UTC) Cc: Mark Andrews , freebsd-stable@freebsd.org, Doug Barton Subject: Re: FreeBSD 7.1 and BIND exploit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 13:49:46 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-85-143088124 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On 23 Jul 2008, at 4:18, Paul Schmehl wrote: >> >> WRONG. >> >> You need to re-sign the zone an expire period before the >> signatures expire. You need to generate new keys periodically >> but no where near every 30 days. >> > > OK. I misspoke. I got the 30 days from Andrew Clegg's presentation > and confused keys with signatures. But still, you have to resign > *every* zone every 30 days. Don't forget to bump the zone serial too... as your secondaries will not catch up otherwise and start serving expired RRSIG's, leaving your zone dead in the water. - R --Apple-Mail-85-143088124 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (Darwin) iD8DBQFIhzbtZ88+mcQxRw0RAsbPAJ47H0rtZp4MvRPF3GWge2X8ZPOq7QCcDDJC Nc6HHFLKC09rbjtPxh2VBwY= =p1mb -----END PGP SIGNATURE----- --Apple-Mail-85-143088124--