[dns-operations] axfr to stop spoofing

David Ulevitch davidu at everydns.net
Wed Mar 22 18:32:52 UTC 2006

On Mar 22, 2006, at 12:27 AM, Peter Dambier wrote:

> AXFR uses tcp. You have to build a connection or nothing will be sent.

Well done.

> Publishing the same data using http and ftp is a good idea.

Not many people open up data publicly w/ AXFR

> ftp://ftp.rs.internic.net/domain/
> is a good idea. You downlod the root-zone and never need to
> bother the root-servers again. Update at least once a month.

You just contradicted yourself.

> Why was axfr broken in the first place?

What about it is broken?

> Because your servers are clandestine?
> Then stop publishing them. DNS is not for you - use /etc/hosts
> The only people profitting from clandestine entries in zone-files
> are spammers and phishers.

Hyperbole.  And false, at that.

> Ok, this solves only part of the puzzle but it could take stress
> away from the rest. Nobody needs to fear the sky is falling down
> when the root-servers hickup.

When was the last time that happened?  What happened as a result?

> AXFRed data could no longer be spoofed. It makes sense to
> exchange zone-files with your friends.

Too easy to make a joke, so I won't.


More information about the dns-operations mailing list