Bind 9.5.0-P2, DNSSEC and /dev/random
Mark Andrews
Mark_Andrews at isc.org
Mon Sep 1 01:19:50 UTC 2008
> > When generating large keys I just keep running "ls -R /" until the
> > key generation completes. You can also use the keyboard. Install
> > a hardware random number generator and configure the kernel to use
> > it (might require a OS change as I don't know if this is supported
> > under Linux).
> >
> > Mark
>
> And based on my reading of the intro these keys need to be updated at least
> monthly?
>
> Michael
The frequency keys need to be changed is based on their
strength (size). The current recommendations are very
conservitive and also factor in that humans need to repeat
operations regularly to get them correct and not forget how
to do the rollover. From a crypto standpoint alone you,
generally, don't need to roll keys monthly.
As more and more automation takes place the frequency of
rolling keys will fall more and more into line with their
crypto strength rather than be driven by human requirements.
SSL certificates are valid for multiple years and they use
the same crypto. They are also simpler to use at this point
in time. Buy and copy into place.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list