Re: Root hints updates
On 09/06/12 07:06, Timothe Litt wrote: In doing some system administration, I realized that I have a tool that might be generally useful - ISC is welcome to add it to contribs. Hopefully the attachment will make it through the mailing list server. This is a script to automagically update the root hints file. There are a bunch of these floating around the internet; most don't work; those that do don't work well. I wrote this several years ago; it's worked for me. It will FTP the new file - or, if you value speed over comments, will fabricate a copy from the existing root servers - yes, it will deal with the case that a root server is renumbered or returns partial data. It acts as a SYS V init script so that it runs on every boot; It's smart enough to requeue itself hourly if it fails to get data. It verifies FTP transfers. It also runs as a cron job monthly to catch any updates. It will log actions to syslog; will also send mail if you like. It preserves file ownership and the timestamp of last download. It knows to run rndc reconfig when it gets a new file. (And not when nothing has changed.) I did some cleanup for this release, but the core logic has run for several years on Fedora and random embedded Linuxes. For me, it's install & forget. README: Install it (or create a link to it) in /etc/init.d/ as update_root. E.g. if it's in /usr/local/sbin, then ln -sf ../../../usr/local/sbin/update_root /etc/init.d/ Then execute /etc/init.d/update_root setup and /etc/init.d/update_root Create a /etc/sysconfig/update_root file if you want a non-default configuration. The most useful configuration variables are: # Undefined uses FTP (default) #USEDNS=yes # Root file name HINT=ROOT.HINT # named control address (undef for none) NAMEDRNDC="127.0.0.1" # Root file owner DEFAULTOWNER="named:named" (When there's no file; normally copies from old) # Define for e-mail recipient (default is undef => none) #TO=hostmas...@example.com # Cron directories CRONMONTHLY="/etc/cron.monthly" CRONHOURLY="/etc/cron.hourly" # No IPV6? This may speed FTP connections. WGET="$WGET -4" Other parameters are in the first ~80 lines of the script. The script commands are: start - check for update (default if no command) setup - run chkconfig and link to monthly queue (don't if you use crontab) status - list current file One caution: Do not copy the script using copy & paste; there are places where literal tabs and spaces are important. [Some environments have very limited regexps.] It's freely redistributable, with the usual caveat that there is no warranty or promise of support & that you use it at your own risk. Enjoy. Timothe Litt ACM Distinguished Engineer - This communication may not represent the ACM or my employer's views, if any, on the matters discussed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Nice script. Now my pet peeve time. This file: http://www.internic.net/domain/named.root indicates the named.root file should be available at ftp.internic.net or rs.internic.net. It's only at ftp.internic.net. This page has a pointer to root hints file(via FTP) that does not work either. The http version shows the above mistake. It's not available at rs.internic.net. http://www.iana.org/domains/root/files Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Root hints updates
Timothe Litt wrote: > > Until someone authoritative tells me that BIND manages the hints file on its > own, I'm taking the conservative route and letting my tool run > BTW, I do have systems that come on-line every 5 years or so. Automation is > good :-) Well, I'm not authoritative, but I don't have a root hints file on my systems. Instead I rely on the hints built in to named, which get updated when I update BIND. Also it doesn't matter if the hints are out of date since the root name server list changes very infrequently and you only need one of them to work for named to start OK. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Root hints updates
>> Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine, is there still an use for this tool? Unless bind updates the hint file as a result of these checks, yes. It's not a question of authenticity; named has to start somewhere to find the root NS; this is the bootstrap cache. It wouldn't be a bad thing if bind did the update itself (sort of like DNSSECS's 5011 for keys). But so far as I know, it doesn't. Since I run the tool, I can't say that I've ever seen a message from BIND complaining about the root hints being out of date. I know there was a root hints update last June... Does it sync to what it finds, or just complain? Until someone authoritative tells me that BIND manages the hints file on its own, I'm taking the conservative route and letting my tool run BTW, I do have systems that come on-line every 5 years or so. Automation is good :-) - This communication may not represent my employer's views, if any, on the matters discussed. -Original Message- From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] Sent: Thursday, September 06, 2012 09:08 To: Timothe Litt Cc: bind-users@lists.isc.org Subject: Re: Root hints updates On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt wrote a message of 466 lines which said: > This is a script to automagically update the root hints file. Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine, is there still an use for this tool? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Root hints updates
On Thu, Sep 06, 2012 at 08:06:45AM -0400, Timothe Litt wrote a message of 466 lines which said: > This is a script to automagically update the root hints file. Since the first thing BIND does at startup is to check the root NS set, and since DNSSEC guarantees that it is genuine, is there still an use for this tool? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
