On 2008-11-17 14:25, Holger Honert wrote:
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your zone(s)?
I couldn't care less. If the security of my systems were the least bit
dependent on keeping DNS records secret, I would kinda suck as an admin,
wouldn't I?
Allowing any user to do zone transfers from my nameserver might put
unnecessary load on my nameservers. I could *almost* care about that, if
you paid me to. And for this reason only, I limit transfers to
legitimate slaves.
Since AXFR is TCP only, it can't be used for an amplification attack, so
that's not an issue.
It's much ado about nothing. This paranoia about DNS privacy is largely
responsible for the significant delay in implementing the long-overdue
DNSSEC extensions. Here's a suggestion: if you have secrets, don't
publish them in a publicly accessible database.
--
Jefferson Ogata : Internetworker, Antibozo
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
