[dns-operations] Vulnerable DNSSEC keys

Lutz Donnerhacke lutz at iks-jena.de
Thu May 15 10:42:32 UTC 2008


Hello,

you definitly already know, that Debian had a bug in the random number
generator causing generated keys to be predictable. The advisitory was:
  http://lists.debian.org/debian-security-announce/2008/msg00152.html

You also are aware, that DNSSEC keys are covered by this bug.

I took my DNSSEC survey to check DNSKEY records for vulnerable ones and did
find 65 affected zones. The server administrators are notified and
encouraged to issue an emergency key rollover.

Please note, that the Debian provided test tool does not work with DNSKEYs
ye. So you can't check for possible vulnerable keys using the standard
tools. Even my checking procedure does not find all vulnerable keys but only
a subset of them.

That's why: If you generated DNSKEYs on a affected Debian or derivate
system, please start with a key rollover now. The private keys can be
obtained easily!

If you have questions, please feel free to ask me.

Lutz Donnerhacke



More information about the dns-operations mailing list