[dns-operations] Stunning security discovery: AXFR may leak information

Paul Vixie paul at redbarn.org
Tue Apr 14 19:34:48 UTC 2015

to me this harkens back to one of my earliest hacks to BIND4, which was
to add an access list for TCP. of course in 1988 or whenever this was, i
didn't realize that AXFR wasn't the only use of TCP, so i quickly had to
patch BIND4 differently (ACL on zone transfers). fun times.

the other thing i didn't realize at that time was the obvious need for
an IETF BCP or FYI document saying that name servers should restrict
zone transfers to "nobody" by default, and to provide an ACL to allow
known good secondary servers to access them. had i written that RFC in
1988-ish, it might be common practice by now. (and that would have been
a good time to say what RFC 5358 later said, too.)

when i say that the internet is, and has always been, too open for the
good of its users, i don't mean i want censorship. rather, i want
admission control and access control to be the default -- all
communities gated.


More information about the dns-operations mailing list