Firms Tackle Security Flaw In Web Addressing System

Mark Andrews Mark_Andrews at isc.org
Fri Jul 11 21:55:10 UTC 2008 

> 
> > > Also as a "NetReg" site we are heavily into dynamic dns update - how,
> > > if at all, is that effected?
> > 
> > 	For BIND 9.5 you need to freeze once a periodically to
> > 	re-sign records that have not been re-signed as part of the
> > 	update process.  BIND 9.6 will re-sign the zone as needed.
> 
>      So, under 9.5 new records will look "untrustworthy"
>      until the zone is frozen and re-signed?

	No.  Signatures need to be re-generated periodically as
	they have a expiry time.  Any RRset which is affected by a
	update gets its signature re-generated when the update is
	made.

	e.g. 20080808063617

dv.isc.org.             3600    IN      RRSIG   SOA 5 3 3600 20080808063617 20080709053617 14436 dv.isc.org. JbFx2aAn+4r+mt5oSKSPvyLB0lxssBBsE5si38ORBIftK9jO6GwkNV/3 I5wlj9rHG4EUxbz5JKMtj9CGqkqREQ==

	RRsets which have *not* been touched by a update need to
	have their signatures re-generated before they hit their
	expiry date.  This should be at least a expire interval 
	before the expiry time to allow the expire field to be
	effective.

	Once a week/daily you need to do something like:

		cd /var/named/master/example.net
		rndc freeze example.net
		dnssec-signzone -N increment -f example.net example.net
		rndc reload example.net
		rndc thaw example.net

	Where /var/named/master/example.net contains the key files
	K* for example.net and the master file is "example.net".

	Under 9.6 the above won't be needed to do the above as named
	will workout which records are expiring when and sign them
	well before they will expire.

>      Under 9.6 is there any sort of service outage/delay
>      during this auto-re-signing?

	No outage.  Think of it as named performing a update on the
	zone which just changes the signatures and the soa serial.

>      We have zones with tens of thousands of records and during certain
>      times of the year the updates come pretty fast.
> 
> Thanks,
> John
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list