[dns-operations] DNS zone transfers are now illegal in North Dakota?

Mark Andrews Mark_Andrews at isc.org
Fri Jan 18 20:12:36 UTC 2008


> At 3:33 +0000 1/18/08, bmanning at vacation.karoshi.com wrote:
> 
> >	but i'd really like to hear a credible answer for the
> >	apparent assertion that zone data is private.
> 
> In the sense of a credible answer and not the ultimate show stopper:
> 
> If I have this right - in the US, the Federal Communications 
> Commission has a provision for unlisted telephone numbers.  Telephone 
> companies are looking to make use of DNS.  Although you can dial an 
> unlisted number, it isn't to be discoverable.  In this situation, the 
> zone data is to remain private even though it is in DNS.

	In that case the data isn't added into the compolation of
	data that is made public.  Telcos do provide telephone books
	in both paper and machine readable forms.

	If you don't want the collection to be disclosed to the public
	you secure it.

	Google for "BIND HOWTO".  The first entry has "Basic Security"
	which show how to do it.

	http://www.langfeldt.net/DNS-HOWTO/BIND-9/DNS-HOWTO-6.html

	I'd like to know if the servers still allow AXFR.
 
> I know that in the prehistoric Intel 80286 age we felt that zone 
> transfers were free and open.  Just because we said so then doesn't 
> make it so today.  Requirements change.

	And the software met those requirements by providing controls
	to the operator which allow them to set policy.  Almost all
	examples of how to configure a nameserver on the net talk about
	access control.

	Another place where AXFR is expected, though not necessarially
	to all the public, but definitely to a ISP's own customers in
	in supporting RFC 2317 style delegations. 

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list