[bind10-dev] allow/deny xfr requests by default?
JINMEI Tatuya / 神明達哉
jinmei at isc.org
Wed Feb 8 21:57:35 UTC 2012
Not particularly related to the current focus of development or a
serious bug, but before I forget it...
Do people have an opinion about whether BIND 10 should allow/deny
AXFR/IXFR requests by default? Currently b10-xfrout allows xfr
requests by default just like BIND 9 does so.
My general understanding is that this is a matter-of-opinion topic.
Some people consider it a "security issue" and argue we should reject
xfrs by default; others argue that DNS data are basically public and
shouldn't try to hide it unless the operator explicitly wants to do so
(and they often question the sense of "security" here).
Also personally, I don't have any problem with accepting xfr requests
to my personal zone. I've always allowed it for my personal server
(and I'd rather prefer successful zone transfer to secondaries without
figuring out how to make it possible by looking into the reference
manual, etc.).
There's even (at least an instance of) a root server that accepts xfr
requests from anyone: F.
So, if this is basically just a matter of preference/opinion, I
personally think it makes sense to provide compatibility with BIND 9.
But if the majority of the users prefer denying it by default, I'm
okay with that.
See also:
https://lists.isc.org/pipermail/bind10-users/2012-February/000175.html
---
JINMEI, Tatuya
More information about the bind10-dev
mailing list