ksk in a volume

Tony Finch dot at dotat.at
Thu Jun 16 10:21:45 UTC 2011

Niobos <niobos at dest-unreach.be> wrote:
> However, I don't see any security-benefits in this scenario: If the attacker
> gets hold of the credentials to update the zone dynamically, he can do so in
> both cases (KSK online or offline). If your server is compromised, he can
> add/remove records in both cases. In case of ZSK compromise, you can
> generate&sign new ZSKs in both cases. In case of KSK compromise, you generate
> new KSKs and upload them to the parent. The only difference is that in the
> offline case, KSK compromise is a little less likely.

Getting the DS in the parent updated is much more difficult than a crash
ZSK rollover. The reason for protecting the KSK more than the ZSK is to
avoid the pain of having to deal with someone else in case of compromise.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Shannon, Rockall: South or southwest 5 to 7. Rough or very rough, occasionally
high for a time. Rain or showers. Moderate or good.

More information about the bind-users mailing list