[dns-operations] DNS zone transfers are now illegal in North Dakota?

Paul Vixie paul at vix.com
Thu Jan 17 19:28:33 UTC 2008

> On the contrary, I think you'd be a bad expert witness for  Ritz. I  
> think I understood your position to be that the spammer left his keys  
> on the seat and Ritz stepped in and drove the car around. I say he  
> took a photograph of the illegal activities through the open door. He  
> never opened the door, and he never went inside. He never disrupted or  
> touched anything. And he used a camera and film that was approved for  
> use by the "standards body".

all analogies are bad, but it's the bread and butter of getting nontechnical
judges to understand technical issues.  and the car analogy was in support of
the spammer's point of view not david's.

> You have axfr enabled for the f-root. axfr is not necessary for normal
> Internet access. Do I violate your privacy every time I do a transfer from
> your server?

f-root makes a bad example simply because the zone operator and the server
operator are different entities.  i would call vix.com a better example, it
is also open for axfr.  i could close it if i cared to, but i don't seem to
care.  this judge seems to think that i would have standing, post facto, to
seek damages if someone axfr's my open zone.  personally, find this bizarre,
but professionally, i compare it to some of the open relay arguments.

some have argued that if i don't lock down tcp/25 and if my smtp agent relays
by default for any party, that it's an open invitation to anyone who wants to
relay for me.  (this was the prevalent attitude in 1988 or so when i first
began shouting about sendmail's defaults.)  others have said, just because you
can do a thing, does not mean that you are invited to do a thing, and using
someone else's relay is either theft by conversion, bad manners, etc.  (that's
been my view on that topic.)

if the spammer wants to say, just because i leave tcp/53 open and do not put
an ACL on my AXFR function, doesn't constitute an invitation to all comers to
come look at my zone, which is a transaction that isn't required by any normal
operations, then they can look at my own longstanding arguments against those
who use other people's open relays, and simply revamp the nouns.

to make it really interesting, consider that open relays and open recursive
nameservers are now universally considered public nuisances.  granted that the
basis for that nuisance value is the damage that can be done to others using
these as amplifiers or anonymizers, it remains that nobody any more tries to
defend the "just because i leave it open doesn't constitute an invitation"
argument any more.  what have we become and what are we becoming?

if there's case law that says, using someone's computer without their
permission is bad, and it's sloppy case law that doesn't distinguish between
infecting that computer with malware, or using its web browser's javascript
engine as a click fraud amplifier, or using some proxy or relay that was
installed as a sloppy side effect of nonmalicious software, or transferring
a zone, then the judge is not the one at fault here, and is not an idiot.

More information about the dns-operations mailing list