[dns-operations] Stunning security discovery: AXFR may leak information

Patrik Fältström paf at frobbit.se
Tue Apr 14 22:58:19 UTC 2015


> On 15 apr 2015, at 00:35, John L. Crain <john.crain at icann.org> wrote:
> 
> At the TLD level the question of how much of the data (and non existence of data) becomes more complex and a decision has to be made about access to the zone file. As long as there is a decision made based on understanding the pros and cons of AXFR I wouldn’t even go as far as to say “unwise” in this case. It’s a business decision that needs to be made. Many (not all) TLDs allow access to zone files, although not always via AXFR.
> 
> When it come to business networks and their DNS information I agree that “generally unwise” would be a good description. I’m not sure what purpose allowing AXFR to the outside world meets.

Part of this discussions is though the difference between registration of a domain name (i.e. mapping between a domain name and a registrant) and the delegation of that very domain name to one of more name servers.

I see personally quite a number of registries that are nervous about XFR (or release of the zone in one way or another) are the same that do not differ between registration and delegation, i.e. require delegation when one register a domain name.

To some degree I hope I am wrong, but real data might help here. I do not have it.

   Patrik

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150415/244941ec/attachment.sig>


More information about the dns-operations mailing list