Secondary and TLD not updating
Jefferson Ogata
bind-users at antibozo.net
Mon Nov 17 19:43:42 UTC 2008
On 2008-11-17 14:25, Holger Honert wrote:
> Chris Thompson schrieb:
>> On Nov 17 2008, Res wrote:
>>> Ack! allow-transfer should never be any
>>
>> What, never? Why not?
>>
> Security issue! You really want everyone to download your zone(s)?
I couldn't care less. If the security of my systems were the least bit
dependent on keeping DNS records secret, I would kinda suck as an admin,
wouldn't I?
Allowing any user to do zone transfers from my nameserver might put
unnecessary load on my nameservers. I could *almost* care about that, if
you paid me to. And for this reason only, I limit transfers to
legitimate slaves.
Since AXFR is TCP only, it can't be used for an amplification attack, so
that's not an issue.
It's much ado about nothing. This paranoia about DNS privacy is largely
responsible for the significant delay in implementing the long-overdue
DNSSEC extensions. Here's a suggestion: if you have secrets, don't
publish them in a publicly accessible database.
--
Jefferson Ogata : Internetworker, Antibozo
More information about the bind-users
mailing list