[dns-operations] AXFR "policy"

Florian Weimer fweimer at bfk.de
Wed Mar 30 16:34:44 UTC 2011 

> As the discussion seems to be getting into AXFR "policy", one of the
> paragraphs from File No. 09-05-C-01660, District Court, Country of
> Cass, North Dakota provides one view of the non-operational aspect:

Is this the case where a zone file transfer was allegedly used in
preparation of a security breach?

The following paragraph tries to make the case that a public offering
of zone transfers does not actually consent to any use by third
parties.  This position is not completely without merit, but the
arguments put forth are incorrect.

>  "The intended purpose of a zone transfer is primarily one of redundancy.
>   Zone transfers are the means by which a primary authoritative domain
>   name server copies the domain structure to a secondary domain name
>   server for the purpose of redundancy.

s/the means/a means/, but mostly true.

>   Generally, both of the servers pertain to the same domain.

Incorrect, for both "administrative domain" and "DNS domain".  The
"DNS domain" part is clear from actual domain data.  Some large DNS
operators use out-of-zone name servers exclusively.

>   In all intended use of a zone transfer, the secondary server is
>   operated by the same party that operates the primary server.

This is simply not true.  The goal of secondary servers is redundancy,
so it makes sense that they are *not* operated by the same party.
Commercial DNS hosting services are widely available and often
included in domain registration packages.  Offering mutual secondary
service among friendly organizations is probably as old as DNS itself.

>   A secondary intended purpose for the zone transfers is to permit
>   trouble shooting in which case zone transfers may sometimes be
>   undertaken via the manually conducted host-l command.

DNS data certainly has diagnostic value, but zone file transfers are
not an ideal way to access it.  Either the zone is small, and you
usually know what you're looking for and query directly, or the zone
is so large that it quickly becomes unwieldy.  It is sometimes
convenient to tell authoritative data from cached data on shared
authoritative/resolver servers, but this is a very rare use case
indeed.

>   In those instances, however, the person conducting the diagnosis
>   acts with the authorization of the operator of the system and is
>   usually the network administrator of the system."

I don't think there are many scenarios where the network administrator
would need to access DNS data in this way, especially not for
diagnostic purposes.  Grepping through zone files could be handy when
you're planning to renumber, but that's not diagnostics.

So most of these arguments are slightly off target or factually
incorrect.  On the other hand, in practice, zones open for transfer
are often a misconfiguration and do not constitute informed consent to
use of this service by any third party.  My own experience supports
this for large zones---TLD operators shut down public AXFR service
after notification.

-- 
Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list