nanog mailing list archives
Re: fyi-- [dns-operations] early key rollover for dlv.isc.org
From: Gregory Hicks <ghicks () cadence com>
Date: Fri, 22 Sep 2006 17:01:31 -0700 (PDT)
Date: Fri, 22 Sep 2006 19:55:39 -0400 From: Joseph S D Yao <jsdy () center osis gov> To: Fergie <fergdawg () netzero net> Cc: nanog () merit edu Subject: Re: fyi-- [dns-operations] early key rollover for dlv.isc.org On Fri, Sep 22, 2006 at 11:39:51PM +0000, Fergie wrote:Hmmm. It wouldn't have anything to do with prime numbers, now would it? :-)Well, yes, but there are an infinite number of them. Of course, 17 is the most prime of them all.
isc.org announced the early key rollover just as a discussion about "exponent 3 damage spreads" on the cryptography list was heating up. This discussion started with a statement that:
I've just noticed that BIND is vulnerable to: http://www.openssl.org/news/secadv_20060905.txt Executive summary: RRSIGs can be forged if your RSA key has exponent 3, which is BIND's default. Note that the issue is in the resolver, not the server. Fix: Upgrade OpenSSL.
So I thought that the early key rollover was due to this. Yet it seems to me that this discussion is still recommending that "-e 3" be used. Regards, GRegory hicks ------------------------------------------------------------------- I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. "A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision." - Benjamin Franklin "The best we can hope for concerning the people at large is that they be properly armed." --Alexander Hamilton
Current thread:
- fyi-- [dns-operations] early key rollover for dlv.isc.org Paul Vixie (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Alexander Gall (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Laurence F. Sheldon, Jr. (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Paul Vixie (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Joseph S D Yao (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 21)
- <Possible follow-ups>
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Fergie (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Joseph S D Yao (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Gregory Hicks (Sep 22)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Steven M. Bellovin (Sep 25)
- Re: fyi-- [dns-operations] early key rollover for dlv.isc.org Fergie (Sep 22)