[dns-operations] AXFR "policy"

SM sm at resistor.net
Fri Mar 25 16:28:56 UTC 2011


At 02:07 25-03-2011, Jim Reid wrote:
>On 24 Mar 2011, at 22:48, Simon Munton wrote:
>
>>As a matter of interest, why do you make it available for public
>>AXFR on all name servers if you don't want people to use it?
>
>Just because a zone happens to be available for AXFR does not mean
>it's acceptable to take a copy, load into other name servers and then

As the discussion seems to be getting into AXFR "policy", one of the 
paragraphs from File No. 09-05-C-01660, District Court, Country of 
Cass, North Dakota provides one view of the non-operational aspect:

  "The intended purpose of a zone transfer is primarily one of redundancy.
   Zone transfers are the means by which a primary authoritative domain
   name server copies the domain structure to a secondary domain name
   server for the purpose of redundancy.  Generally, both of the servers
   pertain to the same domain.  In all intended use of a zone transfer, the
   secondary server is operated by the same party that operates the primary
   server.  A secondary intended purpose for the zone transfers is to permit
   trouble shooting in which case zone transfers may sometimes be undertaken
   via the manually conducted host-l command.  In those instances, however,
   the person conducting the diagnosis acts with the authorization of the
   operator of the system and is usually the network administrator of the
   system."

The question of AXFR access to a zone is also discussed in RFC 5936.

It would be better to ask the zone administrator if you would like to 
know why public AXFR is available for the zone.  If you want to use 
the information, it would be easier for all the parties involved if 
the question included a "is it acceptable for me to use it for X".

Regards,
-sm 




More information about the dns-operations mailing list