[bind9] allow transfer, nameserver-only?

Kevin Darcy kcd at daimlerchrysler.com
Mon Jan 30 22:29:25 UTC 2006 

Helmut Schneider wrote:

>Danny Mayer (mayer at gis.net) wrote:
>  
>
>>Helmut Schneider wrote:
>>    
>>
>>>Barry Margolin (barmar at alum.mit.edu) wrote:
>>>      
>>>
>>>>In article <drddrq$2l1p$1 at sf1.isc.org>,
>>>>"Helmut Schneider" <jumper99 at gmx.de> wrote:
>>>>
>>>>        
>>>>
>>>>>is it possible to define that a zone transfer is only allowed for NS
>>>>>records  of the according zone file?
>>>>>          
>>>>>
>>>>I don't think BIND has such an option.  Some other DNS implementations
>>>>use the NS records as their default "allow-transfer" access list.
>>>>        
>>>>
>>>Yes, Windows DNS does and I hoped that bind has such an option, too.
>>>
>>>      
>>>
>>You can restrict transfer of any zone to any list of addresses with the
>>allow-transfer option. It's up to you to specify what you want in there.
>>    
>>
>
>I do have ACLs for that but if you maintain a list of zones where the 
>secondaries are spread over a number of providers it is no fun to delegate 
>zone transfer for each zone.
>
<soapbox on>

Why limit transfers at all? This is one of those "conventional wisdom" 
good-security-practice kind of things that actually doesn't make a whole 
lot of sense. Yes, in *theory*, there is a DoS potential in leaving zone 
transfers open, but the script kiddies seem to prefer more exotic forms 
of DoS, and in any case, decent IDS/IPS systems do non-DNS-specific 
rate-limiting/shunning by IP anyway. As for "hiding" certain resource 
records with "special" names (e.g. crypto-hashes or whatever) in your 
zone files, I would question such a practice from a design standpoint 
anyway. DNS is probably not the appropriate mechanism to use for that 
kind of thing.

Leaving zone transfers open gives everyone the flexibility to re-address 
off-site slaves (TSIG can theoretically be used to manage this, but many 
folks are ignorant about TSIG and how to use it, plus key management can 
be a pain), for partners to set up stealth slaves as desired (just don't 
expect any NOTIFYs from me, unless you let me know and I agree to it and 
implement it via also-notify), easy transfers of data if we should 
outsource part of our DNS hosting, or to facilitate some kind soul in 
troubleshooting a data/delegation problem in one of my zones 
(hypothetically, of course, since my zones are always perfect :-). Seems 
to me the maintainability and supportability issues here outweigh the 
(questionable, arguable) security benefits. Of course, it's rare for 
someone to get fired for insisting on *too*much* security, so I guess 
there's an inexorable ratchet-effect towards more and more 
restrictiveness, even where it doesn't make sense. Sigh...

<soapbox off>

                                                                         
                                                         - Kevin

More information about the bind-users mailing list