Correction to signatures on yesterday's BIND 9 releases
Mark Andrews
marka at isc.org
Thu Jul 30 08:51:54 UTC 2009
In message <20090730070805.GA1065 at nic.fr>, Stephane Bortzmeyer writes:
> On Wed, Jul 29, 2009 at 04:25:18PM +0000,
> Evan Hunt <each at isc.org> wrote
> a message of 16 lines which said:
>
> > Due to a combination of circumstances, including extreme rush and
> > the usual signer of our releases being away at IETF, we accidentally
> > signed yesterday's BIND 9 patch releases (9.4.3-P3, 9.5.1-P3, and
> > 9.6.1-P1) with the expired 2006 ISC signing key
>
> How many people checked them? Probably not a lot since I did not saw
> reports "BIND releases corrupted!". It tells a lot about Internet
> security. And makes me seriously worry for the future when DNSSEC will
> be deployed...
It also depended apon whether you had refreshed the keys
on your keyring recently or not as to whether it is reported
as expired or not.
Most users do indirect verification by having just a hash
which the maintainer for the package creates. The end user
assumes the maintainer checks the validity before creating
the hash.
Mark
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list