Correction to signatures on yesterday's BIND 9 releases
Steve Lancaster
stevelan at cesa.opbu.xerox.com
Thu Jul 30 17:18:27 UTC 2009
[In a message on Thu, 30 Jul 2009 09:08:05 +0200,
"Stephane Bortzmeyer" wrote:]
>
>How many people checked them? Probably not a lot since I did not saw
>reports "BIND releases corrupted!". It tells a lot about Internet
>security. And makes me seriously worry for the future when DNSSEC will
>be deployed...
More likely it says "Folks don't grab patches nearly as quickly as we'd
hope."
If signatures are provided I ususally use them.
A bit more problematic is the verification that the signature is in
fact the most current signature.. So.. what I suspect you get more of
is "the signature is verified... but I have no idea who signed it!"
CPAN's implementation of signature validation is probably an indication
of the way things like this need to work, if the chain is going to be
trusted from end to end.
Steve
More information about the bind-users
mailing list