Zone transfers of dlv.isc.org

Chris Thompson cet1 at cam.ac.uk
Fri Feb 27 12:55:33 UTC 2009


Resurrecting part of a thread from last September, when I wrote:

>On Sep 23 2008, Stephane Bortzmeyer wrote:
>
>>On Tue, Sep 23, 2008 at 02:07:43PM +0100,
>> Chris Thompson <cet1 at hermes.cam.ac.uk> wrote 
>> a message of 20 lines which said:
>>
>>> [*] How do I know? Well dlv.isc.org uses NSEC records and is 
>>> therefore "enumerable" :-) 113 DLV records at the end of July,
>>> 163 today.

[ 352 at a recent count, by the way ]

>>As the shadoks <http://en.wikipedia.org/wiki/Les_Shadoks> said, "Why
>>do it simply when you can make it complicated?" :-) dig AXFR is
>>simpler...
>
>Over-hasty analysis on my part. Having discovered that ns-ext.isc.org
>didn't allow zone transfers for dlv.isc.org, I obviously failed to
>note that the other official nameservers for it do allow them ...

Things have changed more than once since then. When the official
slaves changed to the current set, {ams,sfba,ord}.sns-pb.isc.org,
they didn't allow zone transfers, but the "hidden master" from the
SOA record, ns-int.isc.org still did. But in the last couple of
days it has started forbidding them as well.

So I suppose I will have to go back to enumerating via the NSEC 
records after all ... :-)

Apart from vulgar curiosity [*] about the contents, there is a
potential issue here. A validating nameserver using dlv.isc.org
for lookaside makes a lot of queries to it (the TTLs and, most
significantly, the negative TTL, are only 1 hour), and if network
access to the official slaves were lost one would start getting
SERVFAILs for everything. So a natural thought is that one could
(stealth) slave dlv.isc.org, and survive loss of contact for up
to its SOA.expire value (28 days at the moment). Of course, one
ought to be validating the results of the zone transfer if one
did this. Or I should say, were allowed by ISC to do it.

[*] Well, perhaps not all that vulgar. I have used lists of the
zones secured via dlv.isc.org when arguing here about our own 
plans for moving to DNSSEC. The recent inclusion of the TLDs
from the IANA ITAR is a good sign.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk




More information about the bind-users mailing list