fyi-- [dns-operations] early key rollover for

Paul Vixie vixie at
Thu Sep 21 17:01:45 UTC 2006

paul at (Paul Vixie) writes:

> ---
> In light of the recently announced OpenSSL security advisory: RSA Signature
> Forgery (CVE-2006-4339), ISC has instigated an early rollover of the DLV Key
> Signing Key (KSK). ISC reccomends reconfiguration of resolvers to use the DLV
> KSK published on September 21, 2006. 
> The old KSK will be retired on September 29, 2006.
> ---
> see for details, and note that there's now a
> [email protected] mailing list where folks can subscribe to learn about changes
> to the dlv trust anchor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at

LarrySheldon at ("Laurence F. Sheldon, Jr.") writes:

> My mail reader can sanitize HTML mail for me, but it was stymied by this 
> one.  What is it?

included as above in even plainer text.  my mail user-agent is emacs/mh-e, and
i as far as i know it could not generate or consume HTML mail even if i tried.

smb at ("Steven M. Bellovin") wrote:

> Paul, what exponent does the new key use?  (I clicked on the public key
> link, but I can't decode the base64 that easily...)

it was made with bind9's "dnssec-keygen" utility, using the -e option, so...

    -e use large exponent (RSAMD5/RSASHA1 only)

...hopefully it's a good exponent.  (every few years someone tries to explain
to me what a key exponent is, i think you steve have tried, but it just doesn't
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at
Paul Vixie

More information about the NANOG mailing list