Default Xfrout transfer_acl

Tue Feb 7 21:19:41 UTC 2012

>> Also I would like to propose a change to the default configuration of the Xfrout module for purposes of improved security. As things stand, a default installation of bind10 sets up an authoritative server with outgoing zone transfer capability. In the default configuration 'Xfrout/transfer_acl[0]  {"action": "ACCEPT"}    any     (default)' allows anybody to list out any zones that are loaded. I think it would be better to set this to '{"action": "REJECT"}    any', and thus require system administrators to explicitly define permissible outgoing zone transfer recipients. Perhaps you are already contemplating this as bind10 development continues, but it would be unfortunate to overlook this issue in an eventual production release.

> This is basically following the default behavior of BIND 9.  In general, we are trying to keep compatibility with BIND 9 unless there's a specific reason to change that.  We can discuss this at bind10-dev (maybe cc'ing to the users list in case you are interested in it).

Thanks. I would be interested in having further discussion copied to the users' list. I agree that in general making bind10 behave like bind9 is a good idea to ease the administrative learning curve for the transition from bind9 to bind10. On the other hand, the configuration procedures are fairly different anyway.

In this instance I would argue that there are specific reasons to change the default behavior. Based on my experience and understanding of what I have read, open zone transfers to all hosts would be a very uncommon DNS server configuration and an insecure one. In other words, almost all bind9 configurations surely have allow-transfer statements in place to restrict transfers to slave servers and perhaps administrative systems. Thus it does not make sense to me to have open transfers as the default for bind10. Bind10 administrators will almost always apply a more restrictive ACL and will be required to remember to set the default ACL to REJECT manually if you don't make it that way in the first place. Furthermore by changing the default to REJECT, you can avoid setting a security trap for inexperienced bind10 administrators.

I would make the same argument with respect to bind9's defaults, except that there would be a concern about the changed default breaking certain existing configurations. I think that bind9 and its configuration defaults were developed in an era when security was less of a concern overall. At least in the security arena, bind10's configuration defaults should be defined with the current malevolent reality in mind.

In conjunction with this I would like to point out that you have set up b10-resolver by default to accept queries only from localhost. Using the same reasoning as above, this is a good choice. In bind9, on the other hand, allow-query defaults to all hosts, so you do have a precedent for breaking tradition with bind9.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School