[dns-operations] Vulnerable DNSSEC keys
Lutz Donnerhacke
lutz at iks-jena.de
Thu May 15 10:42:32 UTC 2008
Hello,
you definitly already know, that Debian had a bug in the random number
generator causing generated keys to be predictable. The advisitory was:
http://lists.debian.org/debian-security-announce/2008/msg00152.html
You also are aware, that DNSSEC keys are covered by this bug.
I took my DNSSEC survey to check DNSKEY records for vulnerable ones and did
find 65 affected zones. The server administrators are notified and
encouraged to issue an emergency key rollover.
Please note, that the Debian provided test tool does not work with DNSKEYs
ye. So you can't check for possible vulnerable keys using the standard
tools. Even my checking procedure does not find all vulnerable keys but only
a subset of them.
That's why: If you generated DNSKEYs on a affected Debian or derivate
system, please start with a key rollover now. The private keys can be
obtained easily!
If you have questions, please feel free to ask me.
Lutz Donnerhacke
More information about the dns-operations
mailing list