[opensuse] Hint: Update your root.hint file if you use bind
Hi folks, SUSE's root.hint file lists an old DNS root server. (The IP address of l.root-servers.net changed November last year, see http://blog.icann.org/?p=227.) As reported on the blog http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml, there are several root servers on this address -- probably only one of them (Bill Mannings's) might be related to ICANN. IMHO, the security consequences of using a DNS root server that can not be trusted is obvious. You might want to fetch ftp://ftp.internic.net/domain/named.root and update your root.hint file yourself. FWIW, I opened a Bugzilla ticket, https://bugzilla.novell.com/show_bug.cgi?id=392173; maybe SUSE will issue a security update. (The story is already on Slashdot, i.e., as public as it can get; no need to keep it on private channels.) Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 05/20/2008 01:15 AM, Joachim Schrod wrote:
Hi folks,
SUSE's root.hint file lists an old DNS root server. (The IP address of l.root-servers.net changed November last year, see http://blog.icann.org/?p=227.) As reported on the blog http://www.renesys.com/blog/2008/05/identity_theft_hits_the_root_n_1.shtml, there are several root servers on this address -- probably only one of them (Bill Mannings's) might be related to ICANN.
IMHO, the security consequences of using a DNS root server that can not be trusted is obvious. You might want to fetch ftp://ftp.internic.net/domain/named.root and update your root.hint file yourself.
FWIW, I opened a Bugzilla ticket, https://bugzilla.novell.com/show_bug.cgi?id=392173; maybe SUSE will issue a security update. (The story is already on Slashdot, i.e., as public as it can get; no need to keep it on private channels.)
Cheers, Joachim
I have used a script for years to update the root servers, that I call nsrootup, and have put in /etc/cron.monthly to make sure my root servers are current. I believe I got this off the internet when setting up my DNS server with 6.4. ---------- #!/bin/sh # # Update the nameserver cache information file once per month. # This is run automatically by a cron entry. # # Original by Al Longyear # Updated for bind 8 by Nicolai Langfeldt # Miscelanious error-conditions reported by David A. Ranch # Ping test suggested by Martin Foster # ( echo "To: hostmaster <hostmaster>" echo "From: system <root>" echo "Subject: Automatic update of the root.hints file" echo PATH=/sbin:/usr/sbin:/bin:/usr/bin: export PATH cd /var/lib/named # Are we online? Ping a server at your ISP # Replace xxx.xxx.xxx.xxx with a valid local server name or IP case `ping -qnc3 xxx.xxx.xxx.xxx` in *'100% packet loss'*) echo "The network is DOWN. root.hints NOT updated" echo exit 0 ;; esac dig @e.root-servers.net . ns >root.hint.new 2>&1 case `cat root.hint.new` in *NOERROR*) # It worked :;; *) echo "The root.hint file update has FAILED." echo "This is the dig output reported:" echo cat root.hint.new exit 0 ;; esac echo "The root.hint file has been updated to contain the following information:" echo cat root.hint.new chown named.named root.hint.new chmod 444 root.hint.new rm -f root.hint.old mv root.hint root.hint.old mv root.hint.new root.hint /etc/init.d/named restart echo echo "The nameserver has been restarted to ensure that the update is complete." echo "The previous root.hint file is now called /var/lib/named/root.hint.old." ) 2>&1 | /usr/lib/sendmail -t exit 0 -------- -- Joe Morris Registered Linux user 231871 running openSUSE 10.3 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joachim Schrod escribió:
FWIW, I opened a Bugzilla ticket, https://bugzilla.novell.com/show_bug.cgi?id=392173; maybe SUSE will issue a security update. (The story is already on Slashdot, i.e., as public as it can get; no need to keep it on private channels.)
The bug report has now been asigned to the right people, that will check this out. Cheers. -- "Progress is possible only if we train ourselves to think about programs without thinking of them as pieces of executable code.” - Edsger W. Dijkstra Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
Cristian Rodríguez writes:
Joachim Schrod escribió:
FWIW, I opened a Bugzilla ticket, https://bugzilla.novell.com/show_bug.cgi?id=392173; maybe SUSE will issue a security update.
The bug report has now been asigned to the right people, that will check this out.
Great. Thanks for the fast reaction! Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joachim Schrod escribió:
Great. Thanks for the fast reaction!
It is fixed now, updates will probably appear at some point of the next week. JFYI: it is very important , if you open a report about a problem that may compromise security , to add security-team <at> suse <dot> de into the CC list. -- "Progress is possible only if we train ourselves to think about programs without thinking of them as pieces of executable code.” - Edsger W. Dijkstra Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2008-05-21 at 03:43 -0400, Cristian Rodríguez wrote:
JFYI: it is very important , if you open a report about a problem that may compromise security , to add security-team <at> suse <dot> de into the CC list.
Isn't it enough to put "security" as the affected component in the bugzilla? Remembering the address to cc a report is not that easy for us. Is there a drop list? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIM/9otTMYHG2NR9URAjaVAJ9FuSm1TFy9Qe+oeFwBWKhW5BmdZQCeNbrG Y6Yk0fbGonWXvtc1IuN8w7U= =3n3+ -----END PGP SIGNATURE-----
On Wed, May 21, 2008 at 12:54:30PM +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2008-05-21 at 03:43 -0400, Cristian Rodríguez wrote:
JFYI: it is very important , if you open a report about a problem that may compromise security , to add security-team <at> suse <dot> de into the CC list.
Isn't it enough to put "security" as the affected component in the bugzilla?
Remembering the address to cc a report is not that easy for us. Is there a drop list?
If you add a Security somehwere the screening team can catch it and reassign to us. Or you drop us an additional mail to security@suse.de Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Carlos E. R. -
Cristian Rodríguez -
Joachim Schrod -
Joe Morris -
Marcus Meissner