[dns-operations] Stunning security discovery: AXFR may leak information

Warren Kumari warren at kumari.net
Tue Apr 14 20:59:25 UTC 2015


On Tue, Apr 14, 2015 at 3:15 PM, Edward Lewis <edward.lewis at icann.org> wrote:
> On 4/14/15, 14:47, "Marjorie" <marjorie at id3.net> wrote:
>
>>The bottom line is that unrestricted AXFR is generally evil,
>
> I'd go with "generally unwise".  There are folks that believe it is fine
> to allow access to their zones and I have no reason to say they are
> foolish.

+1.

Included in this are (at least):
. (from [b,c,f,g,k].root-servers.net)
.arpa
.bb
.bd
.bi
.bv
.capetown
.cg
.ci
.cy
... and then I got bored...

Some of the above operators *may* be surprised, but *certainty* not
all. I know a number of the operators of the above and know that they
have done this by choice.

>  Folks who are not concerned with the minutia of operating their
> DNS server most likely would not want to allow the access and the tools
> they use should meet their likely expectations.
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf



More information about the dns-operations mailing list