[dns-operations] axfr to stop spoofing
David Ulevitch
davidu at everydns.net
Wed Mar 22 18:32:52 UTC 2006
On Mar 22, 2006, at 12:27 AM, Peter Dambier wrote:
> AXFR uses tcp. You have to build a connection or nothing will be sent.
Well done.
>
> Publishing the same data using http and ftp is a good idea.
Not many people open up data publicly w/ AXFR
>
> ftp://ftp.rs.internic.net/domain/
> is a good idea. You downlod the root-zone and never need to
> bother the root-servers again. Update at least once a month.
You just contradicted yourself.
> Why was axfr broken in the first place?
What about it is broken?
> Because your servers are clandestine?
> Then stop publishing them. DNS is not for you - use /etc/hosts
>
> The only people profitting from clandestine entries in zone-files
> are spammers and phishers.
Hyperbole. And false, at that.
> Ok, this solves only part of the puzzle but it could take stress
> away from the rest. Nobody needs to fear the sky is falling down
> when the root-servers hickup.
When was the last time that happened? What happened as a result?
> AXFRed data could no longer be spoofed. It makes sense to
> exchange zone-files with your friends.
Too easy to make a joke, so I won't.
-david
More information about the dns-operations
mailing list