Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: fyi-- [dns-operations] early key rollover for

  • From: Gregory Hicks
  • Date: Fri Sep 22 20:07:16 2006

> Date: Fri, 22 Sep 2006 19:55:39 -0400
> From: Joseph S D Yao <>
> To: Fergie <>
> Cc:
> Subject: Re: fyi-- [dns-operations] early key rollover for
> On Fri, Sep 22, 2006 at 11:39:51PM +0000, Fergie wrote:
> > Hmmm. It wouldn't have anything to do with prime numbers, now would
> > it? :-)
> Well, yes, but there are an infinite number of them.
> Of course, 17 is the most prime of them all. announced the early key rollover just as a discussion about
"exponent 3 damage spreads" on the cryptography list was heating up.

This discussion started with a statement that:

> I've just noticed that BIND is vulnerable to:
> Executive summary:
> RRSIGs can be forged if your RSA key has exponent 3, which is BIND's
> default. Note that the issue is in the resolver, not the server.
> Fix:
> Upgrade OpenSSL.

So I thought that the early key rollover was due to this.  Yet it seems
to me that this discussion is still recommending that "-e 3" be used.

GRegory hicks
I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.