Re: The SWAMP

["Bradley Dunn" <bradley () dunn org>]

> From: Eric Ziegast <ziegast () zee im gte com>
> To: nanog () merit edu; namedroppers () internic net
> Subject: Re: The SWAMP 
> Date: Monday, September 09, 1996 7:47 PM

>     In cron:
>
>       # pick a random time once a week
>       31 10 * * 4 /usr/sbin/update-root
>       # some other time during the week
>       23 20 * * 6 /usr/sbin/named.restart
>
>     The shell script (off the top of my head):
>
>       #!/bin/sh
>       tmp=/tmp/rs$$
>       trap "rm -f $tmp" 1 2 3 14 15
>       chdir /etc/namedb
>       ncftp -a -d 600 -g 5 ftp.root-servers.net:/named.root
>       if [ ! -r named.root ]; then
>               Mail -s "Could not get root nameserver list" hostmaster
>       fi
>       diff root.cache root-servers > $tmp
>       if [ -s $tmp ]; then
>               mv named.root root.cache   # fails if couldn't download
>               Mail -s "Root server update" hostmaster < $tmp
>       fi
>       rm -f $tmp

I don't like "automatic" updates. Sure it is convenient, but for something
as mission-critical as name service, I would hesitate to automatically
trust whatever happens to be at ftp.root-servers.net:/named.root on any
given day. I would want to review it first. Plus, on most BSDish systems
/etc/crontab is world readable by default. A cracker would know the exact
time to attempt to hijack the FTP session and insert:
.       IN      NS      you.got.hacked.net.
you.got.hacked.net.     IN      A       10.1.2.3

-BD
- - - - - - - - - - - - - - - - -