Unapproved AXFR?

Kevin Darcy kcd at daimlerchrysler.com
Tue Dec 14 17:36:59 UTC 1999


Barry Margolin wrote:

>    Date: Tue, 14 Dec 1999 18:12:40 +0100
>    From: Lars-Johan Liman <liman at sunet.se>
>    Lines: 7
>
>    barmar at bbnplanet.com:
>    > I never said it was the only solution.  It's a popular, simple solution.
>
>    To me it's more of a popular, simple _delusion_ ... :-)
>
> Why are you all bitching at me?  It's not like I *recommend* this
> technique.  I'm just trying to explain why many sysadmins do it.
>
> Like I said in my earlier message, it's a trivial technique.  It doesn't
> cost anything.  Have you never heard of the principle of Least Privilege?
> Since randoms on the net shouldn't need to do zone transfers from you,
> there's no reason to allow it, and it's incredibly simple to prevent.
>
> Anything else, like split DNS, requires more work to set up and has ongoing
> maintenance effort.  You need to have a good reason to do this, to justify
> the work.  But they don't feel the need for strong justification to add an
> "allow-transfer" line to the named.conf, and I hardly blame them.  Unless
> they're deluding themselves into thinking that this is real data
> protection, I see no problem with it.

Relax, Barry, it's just the age-old, never-ending
something-is-better-than-nothing versus false-sense-of-security debate. Seems
the stalwarts on either side of the debate simply can't help themselves.


- Kevin




More information about the bind-users mailing list