[dns-operations] axfr to stop spoofing

Peter Dambier peter at peter-dambier.de
Wed Mar 22 08:27:29 UTC 2006

AXFR uses tcp. You have to build a connection or nothing will be sent.

Publishing the same data using http and ftp is a good idea.


is a good idea. You downlod the root-zone and never need to
bother the root-servers again. Update at least once a month.

tcp is more stress on your nameserver than udp is.
But on the other hand one legal tcp is less stress than twemty
illegal udp ttackers.

Why was axfr broken in the first place?
Because your servers are clandestine?
Then stop publishing them. DNS is not for you - use /etc/hosts

The only people profitting from clandestine entries in zone-files
are spammers and phishers.

Ok, this solves only part of the puzzle but it could take stress
away from the rest. Nobody needs to fear the sky is falling down
when the root-servers hickup.

AXFRed data could no longer be spoofed. It makes sense to
exchange zone-files with your friends.

Peter and Karin

Peter and Karin Dambier
The Public-Root Consortium
Graeffstrasse 14
D-64646 Heppenheim
+49(6252)671-788 (Telekom)
+49(179)108-3978 (O2 Genion)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
mail: peter at echnaton.serveftp.com

More information about the dns-operations mailing list