[dns-operations] Stunning security discovery: AXFR may leak information

Fred Morris m3047 at m3047.net
Thu Apr 16 16:11:17 UTC 2015

Oh haven't search lists become so much fun...

On Wed, 15 Apr 2015, Mark Andrews wrote:
> When rsh was all in fashion [...]

I love that historical moment! :-)

> [...]
> Any zones you have in your search lists should be servers locally
> so that you can survive network partitions.  These may or may not
> all be zones you "own".  With DNSSEC this includes all the parent
> zones unless you want to have to install and manage trust anchors
> for all the local zones on all machines performing validation.

Good point, and subtle. Probably missed by a lot of people... the
implications, regardless of if they're going to do it or not.


Fred Morris

More information about the dns-operations mailing list