Unapproved AXFR?

Barry Margolin barmar at bbnplanet.com
Tue Dec 14 17:20:21 UTC 1999


   Date: Tue, 14 Dec 1999 18:12:40 +0100
   From: Lars-Johan Liman <liman at sunet.se>
   Lines: 7

   barmar at bbnplanet.com:
   > I never said it was the only solution.  It's a popular, simple solution.

   To me it's more of a popular, simple _delusion_ ... :-)

Why are you all bitching at me?  It's not like I *recommend* this
technique.  I'm just trying to explain why many sysadmins do it.

Like I said in my earlier message, it's a trivial technique.  It doesn't
cost anything.  Have you never heard of the principle of Least Privilege?
Since randoms on the net shouldn't need to do zone transfers from you,
there's no reason to allow it, and it's incredibly simple to prevent.

Anything else, like split DNS, requires more work to set up and has ongoing
maintenance effort.  You need to have a good reason to do this, to justify
the work.  But they don't feel the need for strong justification to add an
"allow-transfer" line to the named.conf, and I hardly blame them.  Unless
they're deluding themselves into thinking that this is real data
protection, I see no problem with it.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA


More information about the bind-users mailing list