-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 07.08.2015 um 02:35 schrieb Dave Warren: > On 2015-08-06 17:26, Heiko Richter wrote: >> Root is signed with RSASHA256 at the moment. There is no sence in >> having a more secure algorithm because anybody who can't crack that >> algorithm may just attack the weakest link in the chain above you. > > This only holds while assuming similar key rotation schemes, I believe? > If the roots are signed with RSASHA256 and rotate every 3 months, while > you sign, set it and forget it, you're vulnerable to anyone that can > crack RSASHA256 over any period of time. > > Probably a theoretical difference, if it becomes feasible for someone to > crack RSASHA256 in any reasonable level of time, it would be equally > feasible to invest in 2x-8x the hardware and start breaking roots in > under 3 months. >
That's why you sould employ automated rollover. For example my ZSKs are changed automatically every month. As the system does this automatically I cannot forget to do it. It's also not hard to implement that, just run a monthly conjob of dnssec-keygen that dumps new keys into the key-directory of every domain and make proper use of -P -A -I and -D switches. Sadly automated KSK rollover isn't supported by most registrars, but my master server send me an email-reminder, whenever a KSK keyfile gets too old because I forgot the rollover.... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQIcBAEBAgAGBQJVw//aAAoJECKEz6pWghImtNMQAIh4hGzydUs3zT8IWiSfKP6o rtMb2USayknmy1Z7Uy+hAM7yL9tC+1Qw8e6PqNOVZMGhtADqYvQLyKeXmK/ZHiMF l5i2erDNqgjpk34dICrE+lmvmzuQ8cNqL15qqut+tR8rPQJc4TDb2iuyInU7h1yB JNP2W/hoadnBTVwrvUEsXN+G7AknDushcUpTzzblRQvvt4UPSjD/Ict9tpw2HL2S JrHhwtjeBhuu6IIc0kzQQwyUQi8lgPWSS+5FqlHlkJQ/texB039wxJPmdEqhQgXM GB0ZVsIcNdRZB8eWC/TBt4AQcOKqQFudqMKhDEsTIXDcrExU3F9+Stnwgcfo6VMv 5ScIpgneiE1GgAXozULfDY7coJDlB5h3JcpRd3nPgSpWTl9VpdjHWPeTNzlXNMLu q4VlQRAbCi73hs3L+G0Dy1MW9FQCS5WJ0PZfE8xu53O5D80qpjAEX7+C8wgZd8bg y/OlgZ2hpt0i/7QfIH9fWvGFs3+VgwL2OjkfP3ZdY7k+cpoS5hsyZaRZ+Wf2FpjQ Ze3xx3hf/rb0GyRfSh+8eAjlRlYQbEFPTKBpeViDizqHQ+n8GDt+ug4OSuR2K7GJ eF77ImC6sgfUaLD2+VKoiq5XgdBbF5fg1sPOeKlFVZZJqoIFX8Po7L36nbNbuh+k d4BUpas//FA5QJgGr3IW =lcpn -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
