[dns-operations] DNS zone transfers are now illegal in North Dakota?

Paul Vixie paul at vix.com
Fri Jan 18 04:26:22 UTC 2008

> 	not a lawyer and don't play one on the net. 

i am not a lawyer and i don't play one on the net but i have been sued by
experts who had more money than god, and i'm telling you, judges don't have
to be idiots in order to misunderstand technical details or choose the wrong
precedents when issuing decisions.  i'll explain, working from this prompt:

> 	but i'd really like to hear a credible answer for the
> 	apparent assertion that zone data is private.

the regression point for this challenge is, "is AXFR 'publication'".  if it's
not, then zone data is "private" until its owner chooses to expose it through
use (like in an e-mail From: header or a www HREF anchor).  if it is, then
zone data is "not private" unless AXFR is turned off or ACL'd.  but, harken

if zone data's "private" status is based on AXFR being ACL'd, then is it the
fact of that ACL, or the intent to put one, that makes the zone private?  if
the ACL disappears for one hour through operator error and is then restored,
and the intent throughout was that the data be private, and someone fetches it
during that hour, have they violated anyone's privacy?  (be careful how you
answer, since there's no privacy signal in this case, we used it up by calling
it an ACL, and then said it could be off by error.)

moreover, AXFR is a pull technology with no publication solicitation signal.
compare this to HTTP which is (usually) pull technology but has a publication
solicitation signal -- someone followed a URL that caused them to pull data
from your server.  even if the URL they followed is owned by a different
party than the HTTP server, publication was solicited (by a third party).  in
the case of AXFR there is no publication solicitation signal, and the courts
could decide that AXFR therefore does not constitute "publication."

then there are the open relay principles i described this morning -- just
because you can do a thing (a relay is open) doesn't mean you should do a
thing (relay your spam through it).  openness is not carte blanche for all use
or any access.  especially since the blame has shifted, and culturally
speaking we blame the relay owner for spam when a relay is left open, even
though the act of trespass or conversion is by the spammer not the relay
owner.  opposing counsel in an AXFR case can have a field day with that one!

some judges might respond to a well articulated comparison to FBI dumpster
diving.  others might resonate to a comparison to paparazzi in helicopters,
and a case could turn on whether a spammer is a public figure or not.  and
just because there's no wasted paper or toner, don't be shocked if someone
convinces a judge that this is like fax-spam, and just because my fax machine
answered doesn't mean it's ok to send me unsolicited ads.

in marka's case, AXFR is often used by third parties for problem diagnosis,
and it's possible that a spammer's attorney will some day argue that that's
why their client left their AXFR open, to help people like marka, because
the client believes in helping their neighbor diagnose problems, and because
they expect that people like marka will respect their privacy.  you have no
fscking idea how sane that idea can be made to sound by a member of the bar,
and the judge, who knows the law but not the technology and has a hundred
more cases to hear before the end of the week, has to just reach a conclusion
and move on.

More information about the dns-operations mailing list