[dns-operations] Postures was Re: Stunning security discovery: AXFR may leak information

Edward Lewis edward.lewis at icann.org
Wed Apr 15 12:35:48 UTC 2015


On 4/15/15, 7:42, "George Michaelson" <ggm at apnic.net> wrote:

>So on that basis: the FTP rule passes: we have open FTP, why would we
>block AXFR?

It's your call, it's local policy.  I've worked in environments where the
name servers answering queries did not implement the AXFR mechanism.

"Generally unwise" can mean that knowledgeable operators will have a
reason to allow it.

(By the same token, why would one use NSEC3 for signed zones when the zone
is available over FTP?)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150415/fd81a465/attachment.bin>


More information about the dns-operations mailing list