Unapproved AXFR?

[Olmy]

> 

> I don't think this is a strong enough justification for restricting
> zone transfers either, even though keeping an eye on stealth and slave
> servers is a Good Thing. What if the remote name server was configured
> to be authoritative for a completely bogus version of your zone? The
> effect's the same - that name server is telling lies about your domain
> - no matter what you're doing to control who's allowed to perform zone
> transfers.
> 

Agreed. There's nothing in allow-transfer that would prevent that. If you 
interpret the act of someone setting up a bogus master for your zone 
as a malicious act, my admittedly rather bizarre "what if?" is not 
reason in and of itself to employ allow-transfer options. 

However, deliberate bogus masters or deliberate shadow slaves for the 
purpose of dns cache poisoning is not the sole possible instance of the
example I described.

You could also make an argument for this situation arising out of 
operator error, typo, or ignorance. I think the latter cases are more 
likely than a malevolent dns administrator wanting to re-direct traffic.

Anyway, it's been an interesting discussion, regardless.

cheers,

jeff