I've just noticed that BIND is vulnerable to:
http://www.openssl.org/news/secadv_20060905.txt
Executive summary:
RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
default. Note that the issue is in the resolver, not the server.
Fix:
Upgrade OpenSSL.
Issue:
Since I've been
Ben Laurie wrote:
I've just noticed that BIND is vulnerable to:
http://www.openssl.org/news/secadv_20060905.txt
Executive summary:
RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
default. Note that the issue is in the resolver, not the server.
See a more
Roy Arends wrote:
fyi
I noticed that SE uses e=65537 for their KSK and e=3 for their ZSKs.
This means that the keyroll (all zsk's need to be e3) should go
smoothly and no emergency trust anchor rollover is needed.
This is not the case for RIPE (194.in-addr.arpa). RIPE uses e=3 for
fyi
I noticed that SE uses e=65537 for their KSK and e=3 for their ZSKs.
This means that the keyroll (all zsk's need to be e3) should go
smoothly and no emergency trust anchor rollover is needed.
This is not the case for RIPE (194.in-addr.arpa). RIPE uses e=3 for
both ZSK and KSK. Hence an
[EMAIL PROTECTED] (Roy Arends) writes:
This is not the case for RIPE (194.in-addr.arpa). RIPE uses e=3 for
both ZSK and KSK. Hence an emergency trust anchor roll is needed.
i'd argue that if 194.in-addr.arpa is not registered a DLV registry and
if in-addr.arpa is not itself signed, then the
On Sep 8, 2006, at 7:32 PM, Paul Vixie wrote:
[EMAIL PROTECTED] (Roy Arends) writes:
This is not the case for RIPE (194.in-addr.arpa). RIPE uses e=3 for
both ZSK and KSK. Hence an emergency trust anchor roll is needed.
i'd argue that if 194.in-addr.arpa is not registered a DLV registry
and