In message <[email protected]>, Stephane Bortzmeyer writes:
> On Wed, Jul 29, 2009 at 04:25:18PM +0000,
> Evan Hunt <[email protected]> wrote
> a message of 16 lines which said:
>
> > Due to a combination of circumstances, including extreme rush and
> > the usual signer of our releases being away at IETF, we accidentally
> > signed yesterday's BIND 9 patch releases (9.4.3-P3, 9.5.1-P3, and
> > 9.6.1-P1) with the expired 2006 ISC signing key
>
> How many people checked them? Probably not a lot since I did not saw
> reports "BIND releases corrupted!". It tells a lot about Internet
> security. And makes me seriously worry for the future when DNSSEC will
> be deployed...
It also depended apon whether you had refreshed the keys
on your keyring recently or not as to whether it is reported
as expired or not.
Most users do indirect verification by having just a hash
which the maintainer for the package creates. The end user
assumes the maintainer checks the validity before creating
the hash.
Mark
> _______________________________________________
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
