[dns-operations] DNS zone transfers are now illegal in North Dakota?

Mark Andrews Mark_Andrews at isc.org
Thu Jan 17 23:33:37 UTC 2008 

> For some reason I'm preoccupied with this message and topic.  I agree 
> with what Paul wrote but in the essence of trying to rip out the 
> emotion over spam, I replaced the personally identifying references 
> to se how this reads.
> 
> >negative: since zone transfer is not necessary for normal internet access
> >to the mr. jones' servers, there is no reason for mr. smith to fetch the zon
> e
> >other than to violate mr. jones' privacy.  this is no different from port
> >knocking.  by analogy, just because i leave my car unlocked and my keys on
> >the seat doesn't mean i invite unknown third parties to drive my car around.
> 
> [1]
> 
> >positive: since every name server implementation published since 1989 has
> >had the means to restrict zone transfer to authorized parties, and since mr.
> >jones did not avail himself of this feature, mr. smith could reasonably
> >assume that mr jones was willing to participate in internet research and
> >surveys that use zone transfers to gather data.

postive: zone transfers are used regularly for diagnotic purposes both by
the administrators of the zone and by remote administrators attempting to
diagnose operational problems both with the DNS and any services that use
the DNS.

[I know I've done that to diagnose problems that were not reported by the
owner of the zone.]

positive: zone transfers are used to make rlogin from sites within the
remote namespace secure by removing the ability to inject forged DNS/UDP
replies.

[Definitely done that in the past to allow rlogin to continue be be used.]

positive: zone transfers are used to reduce caching server load.  this
is particular true for the root zone.

[Done this as well.]

positive: zone transfers are used to answer questions that won't fit in
a standard TCP response. 

[I've had to do that in the past as well.  DNS needs the MORE bit.  AXFR
was the prime example of why we needed the MORE bit.]
 
> Hearing that, I'd side with the negative unless it was proven that 
> mr. smith was participating in internet research and survey activity, 
> as opposed to, say, investigation.
> 
> Where I fail as a lawyer is that I might argue with "reasonably 
> assume."  I don't know how to interpret/evaluate that in a court of 
> law.
> 
> I'm not an advocate of spam activity.  But I also am against posse 
> and mob justice.  We don't need any Dirty Harry's, whether or not 
> they are right.  (see http://en.wikipedia.org/wiki/Dirty_Harry)
> 
> [1] unless it's like this: 
> http://en.wikipedia.org/wiki/The_Smelly_Car.  Watch the ending of the 
> episode.
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                +1-571-434-5468
> NeuStar
> 
> Think glocally.  Act confused.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list