[dns-operations] Stunning security discovery: AXFR may leak information

Edward Lewis edward.lewis at icann.org
Tue Apr 14 13:28:30 UTC 2015


On 4/14/15, 8:29, "Mark Jeftovic" <markjr at easydns.com> wrote:

>Joke all you want. This is worse than heartbleed.

In short and if I understand this correctly, the problem isn't AXFR's
existence or use, the problem is that systems are poorly configured.

It's like blaming your aorta if a cut causes blood to spill.  The problem
isn't that there is an aorta, it's the cut.

I understand this as a problem.  Tools in common use that do not ease
management or fail to make it apparent what the user has configured is
worthy of CERT advisories (akin to "smoking will kill you" stickers I've
seen on cigarette boxes).  But blaming a structural element of the
protocol isn't the way to address the issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150414/004a69ba/attachment.bin>


More information about the dns-operations mailing list