Bind 9.5.0-P2, DNSSEC and /dev/random

Mark Andrews Mark_Andrews at isc.org
Mon Sep 1 01:57:18 UTC 2008


> > > And based on my reading of the intro these keys need to be updated at
> > > least monthly?
> > >
> > > Michael
> >
> > 	The frequency keys need to be changed is based on their
> > 	strength (size).  The current recommendations are very
> > 	conservitive and also factor in that humans need to repeat
> > 	operations regularly to get them correct and not forget how
> > 	to do the rollover.  From a crypto standpoint alone you,
> > 	generally, don't need to roll keys monthly.
> >
> > 	As more and more automation takes place the frequency of
> > 	rolling keys will fall more and more into line with their
> > 	crypto strength rather than be driven by human requirements.
> >
> > 	SSL certificates are valid for multiple years and they use
> > 	the same crypto.  They are also simpler to use at this point
> > 	in time.  Buy and copy into place.
> 
> So for the domain name "networkstuff.co.nz", I would need to buy a certificat
> e 
> for "networkstuff.co.nz" or would it need to be a wildcard certificate? 
> ie: "*.networkstuff.co.nz" as these are expensive...

	You are confusing SSL and DNSSEC.  Both use the same
	underlying public key cryptography techniques.  They just
	package them up diffently.

	For DNSSEC you using dnssec-keygen to create the key and
	dnssec-signzone to sign the zone.  You pass the DS RRset
	to your parent zones administrator for them to sign so they
	can make a secure referral to you. If your parent is not
	yet signed you can send the DS RRset (or DLV RRset) to us
	and we will include it in the DLV tree.  It's a trival
	matter to convert from DS to DLV as only the name and type
	code are changed.

	If you send us your DS/DLV RRset then when your parent start
	signing their zone you need to tell us to remove the DLV
	RRset and to send the parent zone the DS RRset.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list