On 05/20/2008 01:15 AM, Joachim Schrod wrote:
Hi folks,
SUSE's root.hint file lists an old DNS root server. (The IP address of l.root-servers.net changed November last year, see http://blog.icann.org/?p=227.) As reported on the blog http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml, there are several root servers on this address -- probably only one of them (Bill Mannings's) might be related to ICANN.
IMHO, the security consequences of using a DNS root server that can not be trusted is obvious. You might want to fetch ftp://ftp.internic.net/domain/named.root and update your root.hint file yourself.
FWIW, I opened a Bugzilla ticket, https://bugzilla.novell.com/show_bug.cgi?id=392173; maybe SUSE will issue a security update. (The story is already on Slashdot, i.e., as public as it can get; no need to keep it on private channels.)
Cheers, Joachim
I have used a script for years to update the root servers, that I call nsrootup, and have put in /etc/cron.monthly to make sure my root servers are current. I believe I got this off the internet when setting up my DNS server with 6.4. ---------- #!/bin/sh # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # # Original by Al Longyear # Updated for bind 8 by Nicolai Langfeldt # Miscelanious error-conditions reported by David A. Ranch # Ping test suggested by Martin Foster # ( echo "To: hostmaster <hostmaster>" echo "From: system <root>" echo "Subject: Automatic update of the root.hints file" echo PATH=/sbin:/usr/sbin:/bin:/usr/bin: export PATH cd /var/lib/named # Are we online? Ping a server at your ISP # Replace xxx.xxx.xxx.xxx with a valid local server name or IP case `ping -qnc3 xxx.xxx.xxx.xxx` in *'100% packet loss'*) echo "The network is DOWN. root.hints NOT updated" echo exit 0 ;; esac dig @e.root-servers.net . ns >root.hint.new 2>&1 case `cat root.hint.new` in *NOERROR*) # It worked :;; *) echo "The root.hint file update has FAILED." echo "This is the dig output reported:" echo cat root.hint.new exit 0 ;; esac echo "The root.hint file has been updated to contain the following information:" echo cat root.hint.new chown named.named root.hint.new chmod 444 root.hint.new rm -f root.hint.old mv root.hint root.hint.old mv root.hint.new root.hint /etc/init.d/named restart echo echo "The nameserver has been restarted to ensure that the update is complete." echo "The previous root.hint file is now called /var/lib/named/root.hint.old." ) 2>&1 | /usr/lib/sendmail -t exit 0 -------- -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org