Dns-operations mailing list

[Jeff Taylor <shdwdrgn AT sourpuss.net>]

Feel free to look over the scripts and make suggestions.  The way it
works is to look at the SOA for each TLD, which contains the name of the
'master' server for that TLD.  It then queries the master server
directly for the official information (current serial and such).  After
that, each of the T1 servers are queried to see if their information
matches.  The T1 info is added to the config file being generated, but
if the information does not match, the T1 is commented out... This is
important in cases where a serial was reset to a previous version - the
script deletes the old zone file and tries to obtain a new zone from one
of the up-to-date servers.

The zone for dns.opennic.glue is built up almost identically, except it
lists all of the T2 servers.

I don't believe there is any chance for injection of malicious data
through the script, however the auto-updates could be of concern for
some folks.  This does download a script directly to your server that is
run either as root, or as your bind user.  For security, the IP address
of the source server is hard-coded directly into the script.  Of course
I could always perform the transfer over https or sftp if that makes
folks feel more comfortable, but beyond that, I'm open to suggestions.


On 06/22/2012 01:41 PM, opennic AT lewman.us wrote:
> On Thu, 21 Jun 2012 16:31:45 -0600
> Jeff Taylor <shdwdrgn AT sourpuss.net> wrote:
>
>> There is a script in place that can be used by the T1 operators to
>> automate the process of generating a complete config file for opennic
>> zone -- http://wiki.opennic.glue/t1ZoneScript
> Sounds plausible. I'd want to spend some time figuring out how to
> integrate it into my system securely. Not willing to blindly trust 3rd
> party content injected into a bind config. ;)
>