Niobos <nio...@dest-unreach.be> wrote: > > However, I don't see any security-benefits in this scenario: If the attacker > gets hold of the credentials to update the zone dynamically, he can do so in > both cases (KSK online or offline). If your server is compromised, he can > add/remove records in both cases. In case of ZSK compromise, you can > generate&sign new ZSKs in both cases. In case of KSK compromise, you generate > new KSKs and upload them to the parent. The only difference is that in the > offline case, KSK compromise is a little less likely.
Getting the DS in the parent updated is much more difficult than a crash ZSK rollover. The reason for protecting the KSK more than the ZSK is to avoid the pain of having to deal with someone else in case of compromise. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Shannon, Rockall: South or southwest 5 to 7. Rough or very rough, occasionally high for a time. Rain or showers. Moderate or good. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users