Date: Wed, 23 Jul 2008 17:56:50 +1000 From: Mark Andrews <Mark_Andrews@isc.org> To: freebsd-stable@freebsd.org Subject: Re: FreeBSD 7.1 and BIND exploit Message-ID: <200807230756.m6N7uoNW036882@drugs.dv.isc.org> In-Reply-To: Your message of "Wed, 23 Jul 2008 09:32:47 %2B0200." <20080723073247.GJ308@rail.eu.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Le Wed 23/07/2008, Mark Andrews disait > > > > To roll a key signing key. Add the key at a weekly signing. > > Wait for the DNSKEY RRset TTL to expire. Send the new > > DS/DLV records for the new keys to the parent/DLV operator. > > Once the updated parent / DLV operator has updated the > > DS/DLV RRset wait for the old TTL to expire. Remove the > > old key signing key at your discression. Normally you > > would do this at the next weekly signing. This proceedure > > requires one interaction with the parent/dlv operator during > > the rollover. > > > > Note this is not much different than what is required when > > changing a nameservers. > > But changing nameserver is an exceptional operation. Nobody wants the burden > of an exceptional operation to come back regularly. KSK changes should be approximately annual which is short enough not to forget but long enough to not be a burden. > -- > Erwan > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807230756.m6N7uoNW036882>