[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DNS security and spoofing (Re: [cobalt-security] Anyone else get this error?)
- Subject: Re: DNS security and spoofing (Re: [cobalt-security] Anyone else get this error?)
- From: Eugene Crosser <crosser@xxxxxxxxxxx>
- Date: 30 Dec 2002 14:33:33 +0300
- Organization:
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Mon, 2002-12-30 at 12:17, E.B. Dreger wrote:
> EC> Actually, your solution looks insufficiantly paranoid to me.
>
> I agree. If a better way of which I'm unaware exists, please
> speak up. :-)
I can suggest something like this:
#!/bin/sh
GNUPGHOME=/var/dnsrefresh
WGET=/usr/bin/wget
GPG=/usr/local/bin/gpg
KEYID=C1D27AF9
export GNUPGHOME
umask 077
if [ ! -d $GNUPGHOME ]; then
mkdir $GNUPGHOME
fi
if cd $GNUPGHOME; then :; else
echo Could not chdir to $GPGHOME 1>&2
exit 1
fi
if gpg --list-keys $KEYID; then :; else
gpg --recv-keys --keyserver hkp://wwwkeys.pgp.net $KEYID
fi
if $WGET -N ftp://ftp.rs.internic.net/domain/named.cache \
ftp://ftp.rs.internic.net/domain/named.cache.sig
then :; else
echo Could not get files by FTP 1>&2
exit 1
fi
if $GPG --verify named.cache.sig; then :; else
echo Signature not verified 1>&2
exit 1
fi
if cp named.cache /etc/named/db.cache
kill -HUP `cat /var/run/named.pid`
else
echo Failed to replace root cache file 1>&2
exit 1
fi
echo Success
# that's all
Eugene