do not stupidly delete ZSK files
Heiko Richter
email at heikorichter.name
Fri Aug 7 00:46:19 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 07.08.2015 um 02:35 schrieb Dave Warren:
> On 2015-08-06 17:26, Heiko Richter wrote:
>> Root is signed with RSASHA256 at the moment. There is no sence in
>> having a more secure algorithm because anybody who can't crack that
>> algorithm may just attack the weakest link in the chain above you.
>
> This only holds while assuming similar key rotation schemes, I believe?
> If the roots are signed with RSASHA256 and rotate every 3 months, while
> you sign, set it and forget it, you're vulnerable to anyone that can
> crack RSASHA256 over any period of time.
>
> Probably a theoretical difference, if it becomes feasible for someone to
> crack RSASHA256 in any reasonable level of time, it would be equally
> feasible to invest in 2x-8x the hardware and start breaking roots in
> under 3 months.
>
That's why you sould employ automated rollover.
For example my ZSKs are changed automatically every month. As the system
does this automatically I cannot forget to do it.
It's also not hard to implement that, just run a monthly conjob of
dnssec-keygen that dumps new keys into the key-directory of every domain
and make proper use of -P -A -I and -D switches.
Sadly automated KSK rollover isn't supported by most registrars, but my
master server send me an email-reminder, whenever a KSK keyfile gets too
old because I forgot the rollover....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQIcBAEBAgAGBQJVw//aAAoJECKEz6pWghImtNMQAIh4hGzydUs3zT8IWiSfKP6o
rtMb2USayknmy1Z7Uy+hAM7yL9tC+1Qw8e6PqNOVZMGhtADqYvQLyKeXmK/ZHiMF
l5i2erDNqgjpk34dICrE+lmvmzuQ8cNqL15qqut+tR8rPQJc4TDb2iuyInU7h1yB
JNP2W/hoadnBTVwrvUEsXN+G7AknDushcUpTzzblRQvvt4UPSjD/Ict9tpw2HL2S
JrHhwtjeBhuu6IIc0kzQQwyUQi8lgPWSS+5FqlHlkJQ/texB039wxJPmdEqhQgXM
GB0ZVsIcNdRZB8eWC/TBt4AQcOKqQFudqMKhDEsTIXDcrExU3F9+Stnwgcfo6VMv
5ScIpgneiE1GgAXozULfDY7coJDlB5h3JcpRd3nPgSpWTl9VpdjHWPeTNzlXNMLu
q4VlQRAbCi73hs3L+G0Dy1MW9FQCS5WJ0PZfE8xu53O5D80qpjAEX7+C8wgZd8bg
y/OlgZ2hpt0i/7QfIH9fWvGFs3+VgwL2OjkfP3ZdY7k+cpoS5hsyZaRZ+Wf2FpjQ
Ze3xx3hf/rb0GyRfSh+8eAjlRlYQbEFPTKBpeViDizqHQ+n8GDt+ug4OSuR2K7GJ
eF77ImC6sgfUaLD2+VKoiq5XgdBbF5fg1sPOeKlFVZZJqoIFX8Po7L36nbNbuh+k
d4BUpas//FA5QJgGr3IW
=lcpn
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list