Zone transfers of

Chris Thompson cet1 at
Fri Feb 27 12:55:33 UTC 2009

Resurrecting part of a thread from last September, when I wrote:

>On Sep 23 2008, Stephane Bortzmeyer wrote:
>>On Tue, Sep 23, 2008 at 02:07:43PM +0100,
>> Chris Thompson <cet1 at> wrote 
>> a message of 20 lines which said:
>>> [*] How do I know? Well uses NSEC records and is 
>>> therefore "enumerable" :-) 113 DLV records at the end of July,
>>> 163 today.

[ 352 at a recent count, by the way ]

>>As the shadoks <> said, "Why
>>do it simply when you can make it complicated?" :-) dig AXFR is
>Over-hasty analysis on my part. Having discovered that
>didn't allow zone transfers for, I obviously failed to
>note that the other official nameservers for it do allow them ...

Things have changed more than once since then. When the official
slaves changed to the current set, {ams,sfba,ord},
they didn't allow zone transfers, but the "hidden master" from the
SOA record, still did. But in the last couple of
days it has started forbidding them as well.

So I suppose I will have to go back to enumerating via the NSEC 
records after all ... :-)

Apart from vulgar curiosity [*] about the contents, there is a
potential issue here. A validating nameserver using
for lookaside makes a lot of queries to it (the TTLs and, most
significantly, the negative TTL, are only 1 hour), and if network
access to the official slaves were lost one would start getting
SERVFAILs for everything. So a natural thought is that one could
(stealth) slave, and survive loss of contact for up
to its SOA.expire value (28 days at the moment). Of course, one
ought to be validating the results of the zone transfer if one
did this. Or I should say, were allowed by ISC to do it.

[*] Well, perhaps not all that vulgar. I have used lists of the
zones secured via when arguing here about our own 
plans for moving to DNSSEC. The recent inclusion of the TLDs
from the IANA ITAR is a good sign.

Chris Thompson
Email: cet1 at

More information about the bind-users mailing list