[dns-operations] DNS zone transfers are now illegal in North Dakota?

Simon Waters simonw at zynet.net
Fri Jan 18 12:47:00 UTC 2008

On Friday 18 January 2008 04:26, Paul Vixie wrote:
> the regression point for this challenge is, "is AXFR 'publication'".  if
> it's not, then zone data is "private" until its owner chooses to expose it
> through use (like in an e-mail From: header or a www HREF anchor).  if it
> is, then zone data is "not private" unless AXFR is turned off or ACL'd. 
> but, harken onward.

I think there is little doubt DNS data is public if the DNS server if exposed 
and advertisied as such on the public Internet (avoids analogy to HTTP), they 
must reasonably expect people to issue DNS queries to it (including AXFR). 
Not as if we are talking obscure commands here, or subverting some sort of 
security system, this is all documented in the RFCs from back in 1987, there 
aren't exactly a lot of query types for a DNS administrator to learn. There 
is no reasonable expectation of privacy.

(I'm tempted with analogy but I will avoid it).

So the question is does the method of accessing that data affect if it is 
public, and I think the answer has to be no.

If instead of an AXFR query, he had done reverse DNS queries for every IP 
address in turn that is registered to the company, that would have been fine?

Personally I'd find the later approach far more sinister than an AXFR request, 
since one is a simple function of common tools, the other suggests malicious 
intent, or at least more than the usual toolset shipped with every OS. If you 
don't want AXFR (personally I don't care if people know how we name our 
servers - currently we are working through Prime Ministers of England) you 
can restrict it. But the judge seems to be claiming that the later would be 
fine, but the former is "unexpected" in some way.

Whilst you assume the DNS has machinable data only then it might seem an 
obscure service, but the DNS can have human readable data {RP, TXT} which is 
intended precisely to assist people in tracking down problems such as those 
caused by the sending of unsolicited email. As such trying AXFR is a 
reasonable approach to trying to find such data relating to a domain, 
although many folk do choose to block such requests.

More information about the dns-operations mailing list