[4242] in North American Network Operators' Group
Re: The SWAMP
daemon@ATHENA.MIT.EDU (Bradley Dunn)
Mon Sep 9 20:16:17 1996
From: "Bradley Dunn" <bradley@dunn.org>
To: <nanog@merit.edu>, <namedroppers@internic.net>
Date: Mon, 9 Sep 1996 20:15:34 -0400
> From: Eric Ziegast <ziegast@zee.im.gte.com>
> To: nanog@merit.edu; namedroppers@internic.net
> Subject: Re: The SWAMP
> Date: Monday, September 09, 1996 7:47 PM
> In cron:
>
> # pick a random time once a week
> 31 10 * * 4 /usr/sbin/update-root
> # some other time during the week
> 23 20 * * 6 /usr/sbin/named.restart
>
> The shell script (off the top of my head):
>
> #!/bin/sh
> tmp=/tmp/rs$$
> trap "rm -f $tmp" 1 2 3 14 15
> chdir /etc/namedb
> ncftp -a -d 600 -g 5 ftp.root-servers.net:/named.root
> if [ ! -r named.root ]; then
> Mail -s "Could not get root nameserver list" hostmaster
> fi
> diff root.cache root-servers > $tmp
> if [ -s $tmp ]; then
> mv named.root root.cache # fails if couldn't download
> Mail -s "Root server update" hostmaster < $tmp
> fi
> rm -f $tmp
I don't like "automatic" updates. Sure it is convenient, but for something
as mission-critical as name service, I would hesitate to automatically
trust whatever happens to be at ftp.root-servers.net:/named.root on any
given day. I would want to review it first. Plus, on most BSDish systems
/etc/crontab is world readable by default. A cracker would know the exact
time to attempt to hijack the FTP session and insert:
. IN NS you.got.hacked.net.
you.got.hacked.net. IN A 10.1.2.3
-BD
