[92455] in North American Network Operators' Group
Re: fyi-- [dns-operations] early key rollover for dlv.isc.org
daemon@ATHENA.MIT.EDU (Paul Vixie)
Thu Sep 21 13:03:05 2006
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 21 Sep 2006 17:01:45 +0000
In-Reply-To: <10625.1158856356@sa.vix.com>
Errors-To: owner-nanog@merit.edu
paul@vix.com (Paul Vixie) writes:
> EARLY KEY ROLLOVER
>
> ---
>
> In light of the recently announced OpenSSL security advisory: RSA Signature
> Forgery (CVE-2006-4339), ISC has instigated an early rollover of the DLV Key
> Signing Key (KSK). ISC reccomends reconfiguration of resolvers to use the DLV
> KSK published on September 21, 2006.
>
> The old KSK will be retired on September 29, 2006.
>
> ---
>
> see http://www.isc.org/ops/dlv/ for details, and note that there's now a
> dlv-announce@ mailing list where folks can subscribe to learn about changes
> to the dlv trust anchor.
> _______________________________________________
> dns-operations mailing list
> dns-operations@lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
LarrySheldon@cox.net ("Laurence F. Sheldon, Jr.") writes:
> My mail reader can sanitize HTML mail for me, but it was stymied by this
> one. What is it?
included as above in even plainer text. my mail user-agent is emacs/mh-e, and
i as far as i know it could not generate or consume HTML mail even if i tried.
smb@cs.columbia.edu ("Steven M. Bellovin") wrote:
> Paul, what exponent does the new key use? (I clicked on the public key
> link, but I can't decode the base64 that easily...)
it was made with bind9's "dnssec-keygen" utility, using the -e option, so...
-e use large exponent (RSAMD5/RSASHA1 only)
...hopefully it's a good exponent. (every few years someone tries to explain
to me what a key exponent is, i think you steve have tried, but it just doesn't
stick.)
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training@isc.org.
--
Paul Vixie
