[Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year
Rick van Rein
rick at openfortress.nl
Tue Jan 17 12:50:31 UTC 2012
Good text. Especially good that you made a "grep" with a test that
is known to work for this problem.
> Remove the affected signatures:
> If there are signatures in the zone with extra long validity periods,
> then it is recommended to drop all of the signatures and re-sign the
> zone. This can be done with the following commands:
> > ods-signer clear <zone>
> > ods-signer sign <zone>
This temporarily breaks the domain's validity, right? This
should be avoided if possible -- which I think it is.
There is no immediate need to do flush signatures --the signatures
are valid, but they shouldn't last so long-- and the following step
of key rollover stops future problems from happening. I would
not want to remove these signatures in a way that breaks validation.
and would hope to see support of that in an email of this kind.
> Mitigate replay attacks:
> If your are changing your zone data, then there is a chance for an
> attacker to replay old data since the signature is still valid. You
> need to assess the risk and possible cost of such an attack. If you
> need to mitigate such an attack, then you need to roll your keys:
> > ods-ksmutil key rollover --zone <zone>
You also mentioned potential future domain invalidity, is that
also a reason to be choosing to do this?
I suppose it comes down to a choice, right? clear+resign or do a
KSK rollover (including parent actions).
> The issue has been fixed in ldns 1.6.12. Upgrade to this version in
> order to not get affected the next time.
"next time" meaning "you should upgrade to the new LDNS before the
end of the current year" right?
I hope these are useful remarks.
More information about the Opendnssec-develop