Unapproved AXFR?
Kevin Darcy
kcd at daimlerchrysler.com
Tue Dec 14 17:36:59 UTC 1999
Barry Margolin wrote:
> Date: Tue, 14 Dec 1999 18:12:40 +0100
> From: Lars-Johan Liman <liman at sunet.se>
> Lines: 7
>
> barmar at bbnplanet.com:
> > I never said it was the only solution. It's a popular, simple solution.
>
> To me it's more of a popular, simple _delusion_ ... :-)
>
> Why are you all bitching at me? It's not like I *recommend* this
> technique. I'm just trying to explain why many sysadmins do it.
>
> Like I said in my earlier message, it's a trivial technique. It doesn't
> cost anything. Have you never heard of the principle of Least Privilege?
> Since randoms on the net shouldn't need to do zone transfers from you,
> there's no reason to allow it, and it's incredibly simple to prevent.
>
> Anything else, like split DNS, requires more work to set up and has ongoing
> maintenance effort. You need to have a good reason to do this, to justify
> the work. But they don't feel the need for strong justification to add an
> "allow-transfer" line to the named.conf, and I hardly blame them. Unless
> they're deluding themselves into thinking that this is real data
> protection, I see no problem with it.
Relax, Barry, it's just the age-old, never-ending
something-is-better-than-nothing versus false-sense-of-security debate. Seems
the stalwarts on either side of the debate simply can't help themselves.
- Kevin
More information about the bind-users
mailing list