FreeBSD 7.1 and BIND exploit
Ruben van Staveren
ruben at verweg.com
Wed Jul 23 13:49:46 UTC 2008
On 23 Jul 2008, at 4:18, Paul Schmehl wrote:
>>
>> WRONG.
>>
>> You need to re-sign the zone an expire period before the
>> signatures expire. You need to generate new keys periodically
>> but no where near every 30 days.
>>
>
> OK. I misspoke. I got the 30 days from Andrew Clegg's presentation
> and confused keys with signatures. But still, you have to resign
> *every* zone every 30 days.
Don't forget to bump the zone serial too... as your secondaries will
not catch up otherwise and start serving expired RRSIG's, leaving your
zone dead in the water.
- R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20080723/f2ab7ddf/PGP.pgp
More information about the freebsd-stable
mailing list