DNS Security (was: RE: [SunRescue] hosts file And DNS files??)

Greg A. Woods rescue at sunhelp.org
Mon May 28 16:21:42 CDT 2001 

[ On Monday, May 28, 2001 at 22:11:00 (+0200), Sebastian Marius Kirsch wrote: ]
> Subject: Re: DNS Security (was: RE: [SunRescue] hosts file And DNS files??)
>
> So what? Just tell axfrdns to give you a zone transfer, and you have the
> data in master-file format. And to go the other way, you just tell
> axfr-get to get a zone listing of the zone you want, and it will spit it
> out in the djbdns format.

I think your fudging things a lot there.  Can axfr-get get a zone from a
text file?  I've never heard that it can.....

> djb's rationale for creating a new format was that the old one is rather
> difficult to parse -- whereas it is trivial to change the djbdns format
> in a script, even using ed.

djb is scared of writing a real parser (can't say that I'm not either,
but he sure seems to be as shown by the software he has written!), Or
maybe it's that when he writes one it's such a twisted ugly maze of code
that even he's afraid to maintain it!  ;-)

The only problem with the official master zone file format is that it
makes some fields optional in continuation records.  Of course it's not
very hard to use a tool such as awk (with it's inate ability to build
simple finite state machines) to parse even the continuation records.
I've written such awk scripts at least a dozen times over.....  I'm sure
every other modern scripting language can do likewise, though as I said
the other day, and will no doubt say again, anything you can do in perl
(or even python) can be done simpler, quicker, and more elegantly, in
Smalltalk (and yes you can use it as a scripting language, esp. squeak).

> I just wish that djb would go on to write a DHCP server now -- that is
> one of the last areas where ISC software is creating major
> headaches. Also because of the file format, and because of the fact that
> you *cannot* make it reload its database, you *have* to restart it, and
> because it *refuses* to start if there is a syntax error in the
> configuration file. "Sorry, you can't reboot your computer now, we're
> busy trying to find a syntax error in dhcpd.conf." At least a syntax
> checker would be nice, but no ...

Now you are really fudging the facts....

Or are you using some ancient version?

Or are you simply not reading the fine manual?

       Dhcpd can be made to use an alternate  configuration  file
       with the -cf flag, or an alternate lease file with the -lf
       flag.   Because of the importance of using the same  lease
       database  at  all  times when running dhcpd in production,
       these options should be used only for testing lease  files
       or database files in a non-production environment.

  [[ .... ]]

       The DHCP server reads two files on startup:  a  configura-
       tion file, and a lease database.   If the -t flag is spec-
       ified, the server will simply test the configuration  file
       for  correct  syntax,  but will not attempt to perform any
       network operations.   This can be used to test the  a  new
       configuration file automatically before installing it.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods at acm.org>     <woods at robohack.ca>
Planix, Inc. <woods at planix.com>;   Secrets of the Weird <woods at weird.com>

More information about the rescue mailing list