Re: [DNSOP] Kaminsky on djbdns bugs (fwd)

Wed, 13 Aug 2008 12:19:12 -0700 

Moin!

On Aug 13, 2008, at 20:06 , Ted Lemon wrote:


On Aug 13, 2008, at 10:21 AM, Ralf Weber wrote:

Hmm, assuming that we both did use the same name server software my
experiences are different. Compared to regular DNS setting up and more importantly maintaining DNSSEC is much more work than normal DNS stuff 
(zone resigning, key rollover) .


You're probably doing too much work.   Why are you doing key rollover?
Well you have to change keys with cryptography from time if you want to be save. RFC2541 says once a year, RFC4641 doesn't give any advise, but e.g RIPE which referring to this is doing a rollover every 6 months.
Why so often? Why not just use a longer key? Are you trying for more security than you actually need?
I don't think so. My idea was to do a KSK rollover every 24 months with key len >= 2048 and a ZSK rollover every three months with key length between 1024 and 2048. But this is work compared to thousands of zones we have with SOA serials that are older than two years (We have have a lot of zones with SOA Serial <2000 ;-). In DNS world I never have to touch them again in DNSSEC world I do have to touch the zones regularly. 


  Are you that careful with your SSL certs?

Yup get renewed every two years.


  And why aren't you signing your zone with a cron job?
Well that's just zone signing and still it is a pain especially if you have a server that also does Dynamic updates, as you have to extract the raw zone data and put it back in singed. It is doable but IMHO it is more a hack than real solution.
As said before the tools out there do not have the automation required to make it easy for an operator to deploy DNSSEC widely. But I do have faith in you and other people that are building tools and software that they will get better. 

So long
-Ralf
---
Ralf Weber
Platform Infrastructure Manager
Colt Telecom GmbH
Herriotstrasse 4
60528 Frankfurt
Germany
DDI: +49 (0)69 56606 2780 Internal OneDial: 8 491 2780
Fax: +49 (0)69 56606 6280
Email: [EMAIL PROTECTED]
http://www.colt.net/

Data | Voice | Managed Services

*****************************************
COLT Telecom GmbH, Herriotstraße 4, 60528 Frankfurt/Main, Deutschland *
Tel +49 (0)69 56606 0 * Fax +49 (0)69 56606 2222 *
Geschäftsführer: Albertus Marinus Oosterom (Vors.), Rita Thies *
Amtsgericht Frankfurt/Main HRB 53898 * USt.-IdNr. DE 220 772 475


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to