[dns-operations] Stunning security discovery: AXFR may leak information
m3047 at m3047.net
Thu Apr 16 16:11:17 UTC 2015
Oh haven't search lists become so much fun...
On Wed, 15 Apr 2015, Mark Andrews wrote:
> When rsh was all in fashion [...]
I love that historical moment! :-)
> Any zones you have in your search lists should be servers locally
> so that you can survive network partitions. These may or may not
> all be zones you "own". With DNSSEC this includes all the parent
> zones unless you want to have to install and manage trust anchors
> for all the local zones on all machines performing validation.
Good point, and subtle. Probably missed by a lot of people... the
implications, regardless of if they're going to do it or not.
More information about the dns-operations