[dns-operations] Vulnerable DNSSEC keys
lutz at iks-jena.de
Thu May 15 10:42:32 UTC 2008
you definitly already know, that Debian had a bug in the random number
generator causing generated keys to be predictable. The advisitory was:
You also are aware, that DNSSEC keys are covered by this bug.
I took my DNSSEC survey to check DNSKEY records for vulnerable ones and did
find 65 affected zones. The server administrators are notified and
encouraged to issue an emergency key rollover.
Please note, that the Debian provided test tool does not work with DNSKEYs
ye. So you can't check for possible vulnerable keys using the standard
tools. Even my checking procedure does not find all vulnerable keys but only
a subset of them.
That's why: If you generated DNSKEYs on a affected Debian or derivate
system, please start with a key rollover now. The private keys can be
If you have questions, please feel free to ask me.
More information about the dns-operations