[bind10-dev] allow/deny xfr requests by default?
Shane Kerr
shane at isc.org
Thu Feb 9 11:16:23 UTC 2012
Jinmei,
On Wednesday, 2012-02-08 13:57:35 -0800,
JINMEI Tatuya / 神明達哉 <jinmei at isc.org> wrote:
> Do people have an opinion about whether BIND 10 should allow/deny
> AXFR/IXFR requests by default? Currently b10-xfrout allows xfr
> requests by default just like BIND 9 does so.
> There's even (at least an instance of) a root server that accepts xfr
> requests from anyone: F.
Well, the "security" motivation hardly applies for root servers, since
the zone is published in several ways. I'm not sure why any of the root
servers block XFR actually - it makes little sense, although I suppose
it is one less code path that can introduce bugs.
> So, if this is basically just a matter of preference/opinion, I
> personally think it makes sense to provide compatibility with BIND 9.
> But if the majority of the users prefer denying it by default, I'm
> okay with that.
I personally leave my zones open to XFR.
I agree with the issue about wanting to keep things predictable for
BIND 9 users.
One possible argument for wanting to restrict XFR by default is that
people feel like they have to lock-down BIND 9 because XFR is open and
someone (perhaps the NIST) told them that is unsafe. So, rather even if
it doesn't make sense, we should avoid forcing administrators to do
extra work by default.
--
Shane
More information about the bind10-users
mailing list