netiquette & zone transfers

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Mar 23 23:37:18 UTC 2000 

> On 22 Mar 2000 10:46:41 -0800, Barry Margolin <barmar at bbnplanet.com> wrote:
> 
> >In article <38d8d347.538453 at nntp.jaring.my>,
> >Lincoln Yeoh <lyeoh at pop.jaring.nospam.my> wrote:
> >>Just wondering, how do you tell whether you are authorised to transfer
> >>zones or not? I mean if ls -d works, aren't you authorised to do it? e.g.
> 
> >It's like a door that says "Authorized entry only."  If no one ever told
> >you that you're authorized, you can usually assume that you're not.
> 
> Ah but the point is - there's nothing that says "authorized entry only".
> Anyway, when I find doors open in risky situations I usually notify the
> owners to close em.. But DNS zone transfers? Nah.
> 
> >>it's a service which the dns admin was generous to provide. Zone transfers
> >>should be off by default, then if they are on, it means it's allowed.
> >
> >Unfortunately, BIND allows them by default.
> 
> Fortunately it's not the IE of DNS yet.. But if they aren't careful...
> 
> >authorized to transfer their own domains; everyone else is unauthorized,
> >but we don't enforce this (we would have to contact all the customers and
> >find out if they're running their own slaves so that we could set up access
> >lists).
> 
> Well, a secret shared is not a secret ;). It's likely that even with access
> controls at your end, the typical customer would probably leak out all the
> info at their end.
> 
> I suppose it could come under the various computer laws - unauthorised
> access to info. However, if we paint with such a broad brush then Microsoft
> and a whole bunch would be guilty as well. e.g. M'softs registration
> wizards, so on and so forth. 
> 
> Plus also nosey people like me :). But I think there is a difference
> between a good neighbour and a snoop.
> 
> I think I'll just have to use the rule: Love thy neighbour as thyself. 
> 
> Coz we're all neighbours - everyone is just a few hops/seconds away. 
> 
> Cheerio,
> Link.
> ****************************
> Reply to:     @Spam to
> lyeoh at      @people at uu.net
> pop.jaring.my @ 
> *******************************
> 
> 

	There are often good reasons to transfer a zone.

	1. You have old resolvers which don't support search and you
		are below the zone you are transfering.
	2. You are debugging a problem.

	As for the legality.  The DNS is a public database, as long
	as you a willing to hand out answers for individual queries
	in the zones involved you would have an uphill battle to prove
	anything illegal.

	Mark
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list