[bind10-dev] Forward: RE: allow/deny xfr requests by default?
Francis Dupont
fdupont at isc.org
Thu Feb 9 07:50:18 UTC 2012
I agree with your proposal (I never forbid the transfer of fdupont.fr but
I have no concern if someone asks with good arguments to reverse the
default). About the NIST recommendation it is for "secure" DNS operation
so if you read security == paranoia you easily understand it.
In fact there is a good reason to keep the bind 9 behavior: in general
secondary servers are not on the same administrative control than
primary servers, this means such a policy change won't be really under
control. In fact, IMHO it is important for smooth bind version transition
to keep such a policy, i.e., even if the default is reversed the 9to10
config translator should keep the current default (i.e., vs. KISS).
Thanks
Francis Dupont <fdupont at isc.org>
More information about the bind10-dev
mailing list