FreeBSD 7.1 and BIND exploit

Paul Schmehl pschmehl_lists at tx.rr.com
Wed Jul 23 02:47:06 UTC 2008 

--On July 23, 2008 10:46:43 AM +1000 Mark Andrews <Mark_Andrews at isc.org> 
wrote:
>>
>> I just played around with it recently.  It's not that easy to
>> understand  initially *and* the trust anchors thing is a royal PITA.
>>
>> Once you implement DNSSEC you *must* generate keys every 30 days.  So,
>> I thin k,
>> if you're going to enable it by default, there needs to be a script in
>> period ic
>> that will do all the magic to change keys every 30 days.  Maybe put
>> vars in  /etc/rc.conf to override the default key lengths and other
>> portions of the  commands that could change per installation.
>
> 	WRONG.
>
> 	You need to re-sign the zone an expire period before the
> 	signatures expire.  You need to generate new keys periodically
> 	but no where near every 30 days.
>

OK.  I misspoke.  I got the 30 days from Andrew Clegg's presentation and 
confused keys with signatures.  But still, you have to resign *every* zone 
every 30 days.

"Signatures have lifespans

“Born-on” date – 1 hour prior to running
dnssecsignzone

Expiration date – 30 days after running
dnssecsignzone

Expired signatures lead to zones that
will not validate!"

I followed Clegg's presentation to try out dnssec.

Then there's this:

"Any time you modify a zone – or at
least every 30 days (minus TTL) you
must re-run dnssecsignzone

If you don't
1) Zone data will be stale
2) Zone data will be GONE"

So, for me, that's three zones I have to mess with every 30 days.  Then 
Clegg says the the ZSK keys should be changed every quarter and the KSK 
keys every year.  So I have to resign monthly, regen ZSK keys quarterly 
and regen KSK keys annually, and I have to do this without breaking any of 
my zones so that they stop resolving for periods long enough to clear out 
caches.

How is the average person supposed to understand this, much less do it 
correctly?  Don't misunderstand me, Mark, I'm all for security.  But this 
ain't easy, and the online information only confuses the issue.

Clegg also says this:

"When finished:
2 ZSK files (.key and .private)
2 KSK files (.key and .private)
2 zonefiles (unsigned and .signed)"

So, do I have to have two zone files or not?  As someone who is trying to 
understand this new technology, I have to tell you, the online 
documentation isn't written for non dns-gurus.

I'll be happy to sign my zones, but not until I understand how it works, 
what the ramifications are and what my maintenance responsibilities are.

Paul Schmehl
If it isn't already obvious,
my opinions are my own and not
those of my employer.

More information about the freebsd-stable mailing list