to me this harkens back to one of my earliest hacks to BIND4, which was to add an access list for TCP. of course in 1988 or whenever this was, i didn't realize that AXFR wasn't the only use of TCP, so i quickly had to patch BIND4 differently (ACL on zone transfers). fun times.
the other thing i didn't realize at that time was the obvious need for an IETF BCP or FYI document saying that name servers should restrict zone transfers to "nobody" by default, and to provide an ACL to allow known good secondary servers to access them. had i written that RFC in 1988-ish, it might be common practice by now. (and that would have been a good time to say what RFC 5358 later said, too.) when i say that the internet is, and has always been, too open for the good of its users, i don't mean i want censorship. rather, i want admission control and access control to be the default -- all communities gated. vixie _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
