[dns-operations] Postures was Re: Stunning security discovery: AXFR may leak information

George Michaelson ggm at apnic.net
Wed Apr 15 11:42:00 UTC 2015


I find the question: "if you had an FTP fetch of the zone, would you
feel comfortable making that available for anonymous FTP" a useful
question.

In reverse, we have the entire zonestate as FTP files. publicly
visible. Signed in PGP. And we have whois, with varying degrees of
throttle, for operational stability reasons more than anything else.

If we got swamped on FTP, I wouldn't be happy, but thats an
operational issue about TCP cost and data cost. Not about the zone
contents per se.

I'm happy in reverse, it makes sense to know numbers are numbers, they
have a sequence, its not that much less informative than other
published information about who-has-what

So on that basis: the FTP rule passes: we have open FTP, why would we
block AXFR?

-G

On 15 April 2015 at 13:26, Edward Lewis <edward.lewis at icann.org> wrote:
> John Crain alluded to the point I want to reinforce here.  There are many
> different operational postures.  It's tempting to see a situation as it
> applies to just one.  The three snips below illustrate common environments
> I've run across - TLD (/registration zones), remote debugging
> (/third-party management), and enterprise.
>
> When I think of "generally" I assume the latter environment.  By
> comparison, there are very few operations that handle TLD (and root) zone.
>
> The remote debugging is an interesting environment.  On the one hand it is
> benign, "coaching" and basically freely helping others.  But the technical
> footprint of it is not far removed from outside surveillance ("the NSA" or
> corporate spying), with the real difference locked into "intent."  And
> sometimes even benign outside help is considered an intrusion.
>
> As far as "generally unwise" - I am not the kind who likes loose ends.  By
> analogy, I see opening up AXFR on serves like walking with my shoes
> untied.  It's convenient (to not have to bend over and tie them) but if I
> step on one end I trip over.  Usually, my stance is wide enough that I
> don't trip.  The other concern is getting the laces wet in puddles, so I
> pull them in. (Yes, it is disturbing I've actually thought about this.)
> And worse yet, when I do this, my wife will frown at me.  I.e., once I
> mitigate the risks of tripping, stepping in puddles, and the scorn of my
> wife, it's fine.  If I don't consider these risk, I've been unwise.
>
> On 4/14/15, 18:58, "Patrik Fältström" <paf at frobbit.se> wrote:
>>
>>I see personally quite a number of registries that are nervous about
>>XFR (or release of the zone in one way or another)
>
> On 4/14/15, 19:29, "Mark Andrews" <marka at isc.org> wrote:
>>
>>I, and I know others, have been able to debug DNS problems reported
>>on bind-users because we could see the full zone contents which
>>would have been harder or perhaps impossible to solve otherwise.
>
>
> On 4/14/15, 16:31, "Michael Sinatra" <michael at brokendns.net> wrote:
>>
>>The real reason I see for restricting AXFR is to preserve resources on
>>the server.  This is less of an issue now than it was in the BIND 4 days
>




More information about the dns-operations mailing list