From: Eric Ziegast <ziegast@zee.im.gte.com> To: nanog@merit.edu; namedroppers@internic.net Subject: Re: The SWAMP Date: Monday, September 09, 1996 7:47 PM
In cron:
# pick a random time once a week 31 10 * * 4 /usr/sbin/update-root # some other time during the week 23 20 * * 6 /usr/sbin/named.restart
The shell script (off the top of my head):
#!/bin/sh tmp=/tmp/rs$$ trap "rm -f $tmp" 1 2 3 14 15 chdir /etc/namedb ncftp -a -d 600 -g 5 ftp.root-servers.net:/named.root if [ ! -r named.root ]; then Mail -s "Could not get root nameserver list" hostmaster fi diff root.cache root-servers > $tmp if [ -s $tmp ]; then mv named.root root.cache # fails if couldn't download Mail -s "Root server update" hostmaster < $tmp fi rm -f $tmp
I don't like "automatic" updates. Sure it is convenient, but for something as mission-critical as name service, I would hesitate to automatically trust whatever happens to be at ftp.root-servers.net:/named.root on any given day. I would want to review it first. Plus, on most BSDish systems /etc/crontab is world readable by default. A cracker would know the exact time to attempt to hijack the FTP session and insert: . IN NS you.got.hacked.net. you.got.hacked.net. IN A 10.1.2.3 -BD
I don't like "automatic" updates.
... thus the mail when the file is updated and the restart a few days later. For my example, the named.root FTP/HTTP/AXFR server would have to be at least as secure as a root server, but would not have to be more secure. If people want to review the downloads first, sure, it's a good idea. Change the shell script to not move the file and just complain to the admin instead: Mail -s "New Internet root DNS nameservers" hostmaster<<EOF The list of root nameservers in `pwd`/named.root is newer than your current root.cache file. Please run the following on `hostname` after reviewing the contents of the new root server list: cd `pwd` mv named.root root.cache Sincerely, DNS cron on `hostname` EOF The administrator would get around to installing it eventually. For the PC or Mac servers, I'd want a PCN-style update: A new root nameserver list has been downloaded. Would you like to install it now? o Yes o Review it and give me an option to install it. o No, not now, try me later. The idea is to make sure periodic downloads are encouraged from the start and to make sure there is a DNS-known place (whose name is not attached to SRI-NIC.ARPA, NIC.DDN.MIL, or FTP.RS.INTERNIC.NET) where sites can get root server information as long as Internet DNS lives. IMHO, it's better than promoting laziness by making sure that the root nameserver addresses are always the same. (What about IPV6? IPVn?) My shell script was just an example. Implementation may vary. -- Eric Ziegast
I can see it taking a while for the initial laziness to be overcome, but once it is in place, it could provide for a lot of improvements including multiply-rooted TLDs. The big thing is WHO would do this distribution? The Internic's systems are already too overwhelmed and customer support is spotty at best. If we pass it to those service providers that service others [i.e. 1st tier] then its more work for them, but I can see it being a much more reliable process. Just my two cents, -Deepak. On Mon, 9 Sep 1996, Eric Ziegast wrote:
I don't like "automatic" updates.
... thus the mail when the file is updated and the restart a few days later. For my example, the named.root FTP/HTTP/AXFR server would have to be at least as secure as a root server, but would not have to be more secure.
If people want to review the downloads first, sure, it's a good idea. Change the shell script to not move the file and just complain to the admin instead:
Mail -s "New Internet root DNS nameservers" hostmaster<<EOF The list of root nameservers in `pwd`/named.root is newer than your current root.cache file. Please run the following on `hostname` after reviewing the contents of the new root server list: cd `pwd` mv named.root root.cache
Sincerely, DNS cron on `hostname` EOF
The administrator would get around to installing it eventually.
For the PC or Mac servers, I'd want a PCN-style update:
A new root nameserver list has been downloaded. Would you like to install it now? o Yes o Review it and give me an option to install it. o No, not now, try me later.
The idea is to make sure periodic downloads are encouraged from the start and to make sure there is a DNS-known place (whose name is not attached to SRI-NIC.ARPA, NIC.DDN.MIL, or FTP.RS.INTERNIC.NET) where sites can get root server information as long as Internet DNS lives.
IMHO, it's better than promoting laziness by making sure that the root nameserver addresses are always the same. (What about IPV6? IPVn?)
My shell script was just an example. Implementation may vary.
-- Eric Ziegast
Deepak Jain writes:
I can see it taking a while for the initial laziness to be overcome, but once it is in place, it could provide for a lot of improvements including multiply-rooted TLDs.
The big thing is WHO would do this distribution? The Internic's systems are already too overwhelmed and customer support is spotty at best.
If we pass it to those service providers that service others [i.e. 1st tier] then its more work for them, but I can see it being a much more reliable process.
??? Surely you jest. Well, maybe not. I can see *some* of the tier-1 providers being reasonably reliable about this. On the other hand... I can name at least three national providers that I wouldn't trust to configure their *own* DNS properly. (Don't ask, this isn't the time or place for flamewars. :-) While I'm not particularly enchanted with the Internic, I think that their day-to-day proceedures are working tolerably well. (Note that I'm not discussing their policies, just implementation). I'd rather see them doing it than many other organizations. /a --- Alexis Rosen Owner/Sysadmin, PANIX Public Access Unix & Internet, NYC. alexis@panix.com
participants (4)
-
Alexis Rosen
-
Bradley Dunn
-
Deepak Jain
-
Eric Ziegast