[bind10-dev] allow/deny xfr requests by default?

Dave Hart davehart at gmail.com
Thu Feb 9 12:54:09 UTC 2012


On Thu, Feb 9, 2012 at 11:51, Stephen Morris <stephen at isc.org> wrote:
> On 09/02/2012 11:16, Shane Kerr wrote:
>> Jinmei,
>>
>> On Wednesday, 2012-02-08 13:57:35 -0800, JINMEI Tatuya / 神明達哉
>> <jinmei at isc.org> wrote:
>>> Do people have an opinion about whether BIND 10 should allow/deny
>>> AXFR/IXFR requests by default?  Currently b10-xfrout allows xfr
>>> requests by default just like BIND 9 does so.
>
> I would say deny requests by default.
>
> We live in a security-conscious world, so I think that the general
> philosophy should be "anything that is not explicitly allowed is
> denied" rather than "anything that is not explicitly denied is allowed".

We live in a world of idiots who think they understand security but
have a lack of foresight.  Deny all, then allow only what's needed to
unbreak the items you care about, is a great recipe in firewalls, no?
I'm sure NIST would say so.  So would the credit card company
auditors.  In some cases, it may even be defensible (where the zone is
not in fact open to public querying, or where there is an active
firewall administrator paying attention to breakage and acting on it).
 But it's also a great recipe for people writing new protocols to do
everything on top of HTTP and HTTPS, because those are the least
impeded by idiots with firewalls.  If you want an internet reduced to
HTTP(S), go for it.  I don't.

Cheers,
Dave Hart



More information about the bind10-users mailing list