From owner-freebsd-stable@FreeBSD.ORG  Wed Jul 23 07:56:52 2008
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 88250106564A
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 07:56:52 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org
	[IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc])
	by mx1.freebsd.org (Postfix) with ESMTP id 308B38FC0A
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 07:56:52 +0000 (UTC)
	(envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1])
	by drugs.dv.isc.org (8.14.2/8.14.2) with ESMTP id m6N7uoNW036882
	for <freebsd-stable@freebsd.org>; Wed, 23 Jul 2008 17:56:50 +1000 (EST)
	(envelope-from marka@drugs.dv.isc.org)
Message-Id: <200807230756.m6N7uoNW036882@drugs.dv.isc.org>
To: freebsd-stable@freebsd.org
From: Mark Andrews <Mark_Andrews@isc.org>
Mail-Followup-To: freebsd-stable@freebsd.org 
In-reply-to: Your message of "Wed, 23 Jul 2008 09:32:47 +0200."
	<20080723073247.GJ308@rail.eu.org> 
Date: Wed, 23 Jul 2008 17:56:50 +1000
Sender: marka@isc.org
Subject: Re: FreeBSD 7.1 and BIND exploit 
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Jul 2008 07:56:52 -0000


> Le Wed 23/07/2008, Mark Andrews disait
> > 
> > 	To roll a key signing key.  Add the key at a weekly signing.
> > 	Wait for the DNSKEY RRset TTL to expire.  Send the new
> > 	DS/DLV records for the new keys to the parent/DLV operator.
> > 	Once the updated parent / DLV operator has updated  the
> > 	DS/DLV RRset wait for the old TTL to expire.  Remove the
> > 	old key signing key at your discression.  Normally you
> > 	would do this at the next weekly signing.  This proceedure
> > 	requires one interaction with the parent/dlv operator during
> > 	the rollover.
> > 
> > 	Note this is not much different than what is required when
> > 	changing a nameservers.
> 
> But changing nameserver is an exceptional operation. Nobody wants the burden
>  of an exceptional operation to come back regularly.

	KSK changes should be approximately annual which is short enough
	not to forget but long enough to not be a burden.
 
> -- 
> Erwan
> _______________________________________________
> freebsd-stable@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews@isc.org