[dns-operations] Stunning security discovery: AXFR may leak information

[wbrown at e1b.org]

From: Paul Vixie <paul at redbarn.org>

> to me this harkens back to one of my earliest hacks to BIND4, which was
> to add an access list for TCP. of course in 1988 or whenever this was, i
> didn't realize that AXFR wasn't the only use of TCP, so i quickly had to
> patch BIND4 differently (ACL on zone transfers). fun times.
> 
> the other thing i didn't realize at that time was the obvious need for
> an IETF BCP or FYI document saying that name servers should restrict
> zone transfers to "nobody" by default, and to provide an ACL to allow
> known good secondary servers to access them. had i written that RFC in
> 1988-ish, it might be common practice by now. (and that would have been
> a good time to say what RFC 5358 later said, too.)
> 
> when i say that the internet is, and has always been, too open for the
> good of its users, i don't mean i want censorship. rather, i want
> admission control and access control to be the default -- all
> communities gated.

Perhpas if BIND came with a very minimal named.conf that included basic 
but typical configurations like not allowing zone transfers, a zone for 
127.0.0.0, etc., new admins could be guided into making some good initial 
choices.





Confidentiality Notice: 
This electronic message and any attachments may contain confidential or 
privileged information, and is intended only for the individual or entity 
identified above as the addressee. If you are not the addressee (or the 
employee or agent responsible to deliver it to the addressee), or if this 
message has been addressed to you in error, you are hereby notified that 
you may not copy, forward, disclose or use any part of this message or any 
attachments. Please notify the sender immediately by return e-mail or 
telephone and delete this message from your system.