FreeBSD 7.1 and BIND exploit
Erwan David
erwan at rail.eu.org
Wed Jul 23 07:50:56 UTC 2008
Le Wed 23/07/2008, Mark Andrews disait
>
> To roll a key signing key. Add the key at a weekly signing.
> Wait for the DNSKEY RRset TTL to expire. Send the new
> DS/DLV records for the new keys to the parent/DLV operator.
> Once the updated parent / DLV operator has updated the
> DS/DLV RRset wait for the old TTL to expire. Remove the
> old key signing key at your discression. Normally you
> would do this at the next weekly signing. This proceedure
> requires one interaction with the parent/dlv operator during
> the rollover.
>
> Note this is not much different than what is required when
> changing a nameservers.
But changing nameserver is an exceptional operation. Nobody wants the burden of an exceptional operation to come back regularly.
--
Erwan
More information about the freebsd-stable
mailing list