Using nsupdate in scripts

Tue Mar 15 02:51:19 UTC 2022

> On Mar 14, 2022, at 5:11 PM, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> 
> 
> 
>> On Mar 14, 2022, at 4:25 PM, Tony Finch <fanf at isc.org> wrote:
>> 
>> Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
>>> 
>>> But I've noticed that since I added the following to my options { }:
>>> 
>>>       allow-transfer { none; };
>>>       dnssec-validation auto;
>>>       listen-on-v6 { none; };
>>> 
>>> That I get a *lot* of lines like:
>>> 
>>> ; Communication with ::1#53 failed: connection refused
>> 
>> "Doctor it hurts when I do this!"
>> 
>> When you use `nsupdate -l` you are using a hard-coded configuration, that
>> uses a compiled-in path to the session key and fixed IPv4 and IPv6
>> localhost addresses.
>> 
>> If that doesn't fit your setup then you need to adjust the command-line
>> options for `nsupdate`.
>> 
>> I think for your purposes it would be best to add an environment variable
>> for the nsupdate options, so that the admin can set the variable to
>> contain different options if bare -l doesn't fit their needs. So if in
>> some fit of self-harm they have turned off IPv6, they can add -4 to the
>> variable, or they can get more creative with the -k option. (Sadly you
>> have to set the server address in the update script, not on the command
>> line.)
> 
> 
> I'm operating on a residential ILEC that hasn't deployed IPv6, so turning off IPv6 isn't "self-harm", it's what cyber security professionals refer to as "reducing attack surface".
> 
> There's no benefit in my situation to listening on IPv6 sockets, and it only provides a potential exploit for hackers.
> 
> There's no "admin" in my case, this is startup scripting on an embedded device (a firewall router).
> 
> I could grep for the explicit string "listen-on-v6 { none; };" but I'd need to isolate that in the "options { } " section, make sure it's not commented out, handle multi-line and whitespace processing, handle "include" processing, etc.
> 
> In short, it's non-trivial.
> 
> I was hoping that there's a trivial way to parse the named.conf file and figure out what it listens on for updates using a Bind utility, but I guess not...
> 
> -Philip

Actually, the canonicalization and include processing is handled by "named-checkconf -px" ... though I'm not sure why it generates two spaces between "listen-on-v6" and "{"...

The rest can be handled by a multiline PerlRE I guess.