[92505] in North American Network Operators' Group
Re: fyi-- [dns-operations] early key rollover for dlv.isc.org
daemon@ATHENA.MIT.EDU (Gregory Hicks)
Fri Sep 22 20:04:46 2006
Date: Fri, 22 Sep 2006 17:01:31 -0700 (PDT)
From: Gregory Hicks <ghicks@cadence.com>
Reply-To: Gregory Hicks <ghicks@cadence.com>
To: fergdawg@netzero.net, jsdy@center.osis.gov
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
> Date: Fri, 22 Sep 2006 19:55:39 -0400
> From: Joseph S D Yao <jsdy@center.osis.gov>
> To: Fergie <fergdawg@netzero.net>
> Cc: nanog@merit.edu
> Subject: Re: fyi-- [dns-operations] early key rollover for dlv.isc.org
>
>
> On Fri, Sep 22, 2006 at 11:39:51PM +0000, Fergie wrote:
> > Hmmm. It wouldn't have anything to do with prime numbers, now would
> > it? :-)
>
>
> Well, yes, but there are an infinite number of them.
>
> Of course, 17 is the most prime of them all.
isc.org announced the early key rollover just as a discussion about
"exponent 3 damage spreads" on the cryptography list was heating up.
This discussion started with a statement that:
> I've just noticed that BIND is vulnerable to:
>
> http://www.openssl.org/news/secadv_20060905.txt
>
> Executive summary:
>
> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> default. Note that the issue is in the resolver, not the server.
>
> Fix:
>
> Upgrade OpenSSL.
So I thought that the early key rollover was due to this. Yet it seems
to me that this discussion is still recommending that "-e 3" be used.
Regards,
GRegory hicks
-------------------------------------------------------------------
I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.
"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton
