allow-transfer

[Jim Reid]

>>>>> "Ali" == Ali Eghtessadi <ali at BabcockBrown.com> writes:

    Ali> I understand that instead of "none", I can enter the IP
    Ali> address(s) of the slaves so they are the only hosts capable
    Ali> of transfering the zone info. What are the other major
    Ali> security risks imposed by not having such statement in the
    Ali> primary DNS server?

There are no security risks associated with zone transfers. The DNS
data in the zone is public after all. [If your DNS data is considered
sensitive, then it shouldn't be public.] I suppose someone could mount
a denial of service attack by bombarding the server with AXFR
requests. But they could do the same sort of thing even if zone
transfers were restricted: just fire off huge numbers of TCP queries
for instance. It can sometimes be a good idea to restrict transfers
for very large zones, purely because of the resource impact, like
bandwidth or firewall capacity. Many top-level domains prevent open
zone transfers. Partly this is because of the size of the zones. It's
also a way of reducing cyber-squatting: people can't pull a copy of
the TLD and find out what names are available.