netiquette & zone transfers
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Thu Mar 23 23:37:18 UTC 2000
> On 22 Mar 2000 10:46:41 -0800, Barry Margolin <barmar at bbnplanet.com> wrote:
>
> >In article <38d8d347.538453 at nntp.jaring.my>,
> >Lincoln Yeoh <lyeoh at pop.jaring.nospam.my> wrote:
> >>Just wondering, how do you tell whether you are authorised to transfer
> >>zones or not? I mean if ls -d works, aren't you authorised to do it? e.g.
>
> >It's like a door that says "Authorized entry only." If no one ever told
> >you that you're authorized, you can usually assume that you're not.
>
> Ah but the point is - there's nothing that says "authorized entry only".
> Anyway, when I find doors open in risky situations I usually notify the
> owners to close em.. But DNS zone transfers? Nah.
>
> >>it's a service which the dns admin was generous to provide. Zone transfers
> >>should be off by default, then if they are on, it means it's allowed.
> >
> >Unfortunately, BIND allows them by default.
>
> Fortunately it's not the IE of DNS yet.. But if they aren't careful...
>
> >authorized to transfer their own domains; everyone else is unauthorized,
> >but we don't enforce this (we would have to contact all the customers and
> >find out if they're running their own slaves so that we could set up access
> >lists).
>
> Well, a secret shared is not a secret ;). It's likely that even with access
> controls at your end, the typical customer would probably leak out all the
> info at their end.
>
> I suppose it could come under the various computer laws - unauthorised
> access to info. However, if we paint with such a broad brush then Microsoft
> and a whole bunch would be guilty as well. e.g. M'softs registration
> wizards, so on and so forth.
>
> Plus also nosey people like me :). But I think there is a difference
> between a good neighbour and a snoop.
>
> I think I'll just have to use the rule: Love thy neighbour as thyself.
>
> Coz we're all neighbours - everyone is just a few hops/seconds away.
>
> Cheerio,
> Link.
> ****************************
> Reply to: @Spam to
> lyeoh at @people at uu.net
> pop.jaring.my @
> *******************************
>
>
There are often good reasons to transfer a zone.
1. You have old resolvers which don't support search and you
are below the zone you are transfering.
2. You are debugging a problem.
As for the legality. The DNS is a public database, as long
as you a willing to hand out answers for individual queries
in the zones involved you would have an uphill battle to prove
anything illegal.
Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list