[dns-operations] DNS zone transfers are now illegal in North Dakota?

Paul Vixie paul at vix.com
Fri Jan 18 21:48:36 UTC 2008

> > the regression point for this challenge is, "is AXFR 'publication'".  ...
> I think there is little doubt DNS data is public if the DNS server if
> exposed and advertisied as such on the public Internet (avoids analogy to
> HTTP),

public may look like the root word of publication but the legal theory may
not be similar.  "public data" does not necessarily mean "available to the
public", it could mean "has been published", where published may be limited
to push/broadcast or to pull/solicitation.  so you havn't avoided the analogy
to HTTP here if HTTP's pull/solicitation model is only "publication" because
of the solicitation (like an HREF existing somewhere).  but you may have got
some traction toward a different regression point, which is, does an SOA RR
function as an implied solicitation for AXFR in the way an HREF does for HTTP?
the arguments against this are strong, since an HTTP server is not useful
unless solicitations such as external HREFs exist and are followed, whereas
a DNS server can be quite useful if noone but the zone's owner ever AXFR's.

> they must reasonably expect people to issue DNS queries to it
> (including AXFR).

in the case reported at the top of this thread, it was argued successfully to
a judge that since AXFR is not necessary except for zone maintainance, and
david ritz was not under contract to provide zone maintainance such as
secondary DNS, that the spammer could reasonably assume that AXFR would not
be performed.  i'm not buying it, mind you.  i'm saying, a judge bought it.

> ... There is no reasonable expectation of privacy.

while that is also my own personal position -- if you want something to be
private, don't put it into DNS -- this principle isn't as obvious in light of
the open relay wars or the warrantless wiretap scandal.  a judge need not be
an idiot to believe that unadvertised/unused names in the spammer's zone would
not have been exposed through any normal internet activity, and that only by
using a maintainance command whose documented intent is zone maintainance was
david ritz able to see all names, and david ritz is not a zone maintainer or
server operator, and so, the spammer's expectation of privacy is reasonable.

again i remind you all-- i'm not buying it, i'm telling you how judges think.

> So the question is does the method of accessing that data affect if it is 
> public, and I think the answer has to be no.
> If instead of an AXFR query, he had done reverse DNS queries for every IP
> address in turn that is registered to the company, that would have been
> fine?

i hope so, since that's what ISC's Domain Survey does, and it's what a lot of
other folks do.  but assuming this kind of survey isn't found to violate
privacy, it still won't find subdomains, MX RRs, and other things that this
spammer seems to be upset about.  nor will it find all A RRs, since not all
A/PTR relationships are as symmetrical as i think they ought to be.

> Whilst you assume the DNS has machinable data only then it might seem an
> obscure service, but the DNS can have human readable data {RP, TXT} which is
> intended precisely to assist people in tracking down problems such as those
> caused by the sending of unsolicited email. As such trying AXFR is a
> reasonable approach to trying to find such data relating to a domain,
> although many folk do choose to block such requests.

if you want this argument to work, then, i suggest that a half dozen or so
abuse-reporting tools start doing AXFR and get put into common use.  after
enough time has elapsed so that every spammer who wants his data hidden has
closed down AXFR for his zones, then and only then could i imagine a judge
saying that if a particular spammer does not do so, it's his own fault.

More information about the dns-operations mailing list