From: Paul Vixie <p...@redbarn.org> > to me this harkens back to one of my earliest hacks to BIND4, which was > to add an access list for TCP. of course in 1988 or whenever this was, i > didn't realize that AXFR wasn't the only use of TCP, so i quickly had to > patch BIND4 differently (ACL on zone transfers). fun times. > > the other thing i didn't realize at that time was the obvious need for > an IETF BCP or FYI document saying that name servers should restrict > zone transfers to "nobody" by default, and to provide an ACL to allow > known good secondary servers to access them. had i written that RFC in > 1988-ish, it might be common practice by now. (and that would have been > a good time to say what RFC 5358 later said, too.) > > when i say that the internet is, and has always been, too open for the > good of its users, i don't mean i want censorship. rather, i want > admission control and access control to be the default -- all > communities gated.
Perhpas if BIND came with a very minimal named.conf that included basic but typical configurations like not allowing zone transfers, a zone for 127.0.0.0, etc., new admins could be guided into making some good initial choices. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs