FreeBSD 7.1 and BIND exploit
Paul Schmehl
pschmehl_lists at tx.rr.com
Wed Jul 23 02:47:06 UTC 2008
--On July 23, 2008 10:46:43 AM +1000 Mark Andrews <Mark_Andrews at isc.org>
wrote:
>>
>> I just played around with it recently. It's not that easy to
>> understand initially *and* the trust anchors thing is a royal PITA.
>>
>> Once you implement DNSSEC you *must* generate keys every 30 days. So,
>> I thin k,
>> if you're going to enable it by default, there needs to be a script in
>> period ic
>> that will do all the magic to change keys every 30 days. Maybe put
>> vars in /etc/rc.conf to override the default key lengths and other
>> portions of the commands that could change per installation.
>
> WRONG.
>
> You need to re-sign the zone an expire period before the
> signatures expire. You need to generate new keys periodically
> but no where near every 30 days.
>
OK. I misspoke. I got the 30 days from Andrew Clegg's presentation and
confused keys with signatures. But still, you have to resign *every* zone
every 30 days.
"Signatures have lifespans
“Born-on” date – 1 hour prior to running
dnssecsignzone
Expiration date – 30 days after running
dnssecsignzone
Expired signatures lead to zones that
will not validate!"
I followed Clegg's presentation to try out dnssec.
Then there's this:
"Any time you modify a zone – or at
least every 30 days (minus TTL) you
must re-run dnssecsignzone
If you don't
1) Zone data will be stale
2) Zone data will be GONE"
So, for me, that's three zones I have to mess with every 30 days. Then
Clegg says the the ZSK keys should be changed every quarter and the KSK
keys every year. So I have to resign monthly, regen ZSK keys quarterly
and regen KSK keys annually, and I have to do this without breaking any of
my zones so that they stop resolving for periods long enough to clear out
caches.
How is the average person supposed to understand this, much less do it
correctly? Don't misunderstand me, Mark, I'm all for security. But this
ain't easy, and the online information only confuses the issue.
Clegg also says this:
"When finished:
2 ZSK files (.key and .private)
2 KSK files (.key and .private)
2 zonefiles (unsigned and .signed)"
So, do I have to have two zone files or not? As someone who is trying to
understand this new technology, I have to tell you, the online
documentation isn't written for non dns-gurus.
I'll be happy to sign my zones, but not until I understand how it works,
what the ramifications are and what my maintenance responsibilities are.
Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.
More information about the freebsd-stable
mailing list