In message <d152de14.add3%edward.le...@icann.org>, Edward Lewis writes: > On 4/14/15, 14:47, "Marjorie" <marjo...@id3.net> wrote: > > >The bottom line is that unrestricted AXFR is generally evil, > > I'd go with "generally unwise". There are folks that believe it is fine > to allow access to their zones and I have no reason to say they are > foolish. Folks who are not concerned with the minutia of operating their > DNS server most likely would not want to allow the access and the tools > they use should meet their likely expectations.
For in-addr.arpa and ip6.arpa zones it is pointless to prevent zone transfers if you can query the zones. There is too much structure to the zones to prevent them being walked. If you have in-addr.arpa and ip6.arpa zones it is mostly pointless to block access to the corresponding forward zones as the in-addr.arpa and ip6.arpa zones give away all the names. With split horizion, you can usually guess the contents of the public zones anyway. Blocking axfr doesn't prevent tcp sockets being used. Basically all blocking axfr does is give you a false sense of security for typical zones. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
