[lacnog] Fwd: [dns-wg] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

Roque Gagliano roque en lacnic.net
Mar Feb 9 17:08:11 BRST 2010 

Hola Amigos,

Este es un mensaje para aquellas personas que usan en sus servidores recursivos Fedora + BIND y tienen la validación de DNSSEC encendida. Resulta que BIND viene con un paquete llamado "dnssec-conf" que instala claves de confianza ("trust anchors") que están desactualizadas. Esto ha afectado zonas que servidores de LACNIC y otros RIRs son autoritativos. Aquí les envío el informe que armó el personal de RIPE y si se encuentran en las condiciones detalladas, sería bueno que revisaran vuestras configuraciones. Nosotros hemos contactado a algunos ISPs que hemos detectado en nuestros servidores que estaban siendo afectados.

Cordiales saludos,
Roque Gagliano


Dear Friends,

This message is for those people that use recursive servers based on Fedora + BIND and have DNSSEC validation enabled. BIND ships a packet called "dnssec-conf" that includes outdated trust-anchors. This problem has affected zonas where LACNIC's  and other RIRs servers are authoritative. I am attaching the report from RIPE's staff. We have already contacted ISPs that we have detected as affected by analyzing requests to our servers.


Best Regards,
Roque Gagliano


Begin forwarded message:

> From: Anand Buddhdev <anandb en ripe.net>
> Date: February 5, 2010 2:23:51 PM GMT+01:00
> To: dns-wg en ripe.net
> Subject: [dns-wg] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
> 
> [Apologies for duplicates]
> 
> Dear Colleagues,
> 
> We have discovered that recent versions of the Fedora Linux distribution
> are shipping with a package called "dnssec-conf", which contains the
> RIPE NCC's DNSSEC trust anchors. This package is installed by default as
> a dependency of BIND, and it configures BIND to do DNSSEC validation.
> 
> Unfortunately, the current version of this package (1.21) is outdated
> and contains old trust anchors.
> 
> On 16 December 2009, we had a key roll-over event, where we removed the
> old Key-Signing Keys (KSKs). From that time, BIND resolvers running on
> Fedora Linux distributions could not validate any signed responses in
> the RIPE NCC's reverse zones.
> 
> If you are running Fedora Linux with the standard BIND package, please
> edit the file "/etc/pki/dnssec-keys//named.dnssec.keys", and comment out
> all the lines in it containing the directory path "production/reverse".
> Then restart BIND.
> 
> This will stop BIND from using the outdated trust anchors. If you do
> want to use the RIPE NCC's trust anchors to validate our signed zones,
> we recommend that you fetch the latest trust anchor file from our
> website and reconfigure BIND to use it instead of the ones distributed
> in the dnssec-conf package:
> 
> https://www.ripe.net/projects/disi/keys/index.html
> 
> Please remember to check frequently for updates to our trust anchor
> file, as we introduce new Key-Signing Keys (KSKs) every 6 months.
> 
> Regards,
> 
> Anand Buddhdev,
> DNS Services Manager, RIPE NCC

------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20100209/72554a32/attachment.html>

Más información sobre la lista de distribución LACNOG