Firms Tackle Security Flaw In Web Addressing System
Mark Andrews
Mark_Andrews at isc.org
Fri Jul 11 21:55:10 UTC 2008
>
> > > Also as a "NetReg" site we are heavily into dynamic dns update - how,
> > > if at all, is that effected?
> >
> > For BIND 9.5 you need to freeze once a periodically to
> > re-sign records that have not been re-signed as part of the
> > update process. BIND 9.6 will re-sign the zone as needed.
>
> So, under 9.5 new records will look "untrustworthy"
> until the zone is frozen and re-signed?
No. Signatures need to be re-generated periodically as
they have a expiry time. Any RRset which is affected by a
update gets its signature re-generated when the update is
made.
e.g. 20080808063617
dv.isc.org. 3600 IN RRSIG SOA 5 3 3600 20080808063617 20080709053617 14436 dv.isc.org. JbFx2aAn+4r+mt5oSKSPvyLB0lxssBBsE5si38ORBIftK9jO6GwkNV/3 I5wlj9rHG4EUxbz5JKMtj9CGqkqREQ==
RRsets which have *not* been touched by a update need to
have their signatures re-generated before they hit their
expiry date. This should be at least a expire interval
before the expiry time to allow the expire field to be
effective.
Once a week/daily you need to do something like:
cd /var/named/master/example.net
rndc freeze example.net
dnssec-signzone -N increment -f example.net example.net
rndc reload example.net
rndc thaw example.net
Where /var/named/master/example.net contains the key files
K* for example.net and the master file is "example.net".
Under 9.6 the above won't be needed to do the above as named
will workout which records are expiring when and sign them
well before they will expire.
> Under 9.6 is there any sort of service outage/delay
> during this auto-re-signing?
No outage. Think of it as named performing a update on the
zone which just changes the signatures and the soa serial.
> We have zones with tens of thousands of records and during certain
> times of the year the updates come pretty fast.
>
> Thanks,
> John
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list