Unapproved AXFR?
Jim Reid
jim at rfc1035.com
Tue Dec 14 19:58:04 UTC 1999
>> Let's assume for a moment that, by allowing zone transfers,
>> there will eventually be one or more name servers that have, in
>> fact, transfered one or more of your authoritative zones. Since
>> you haven't configured that zone with associated NS entries for
>> the server in question, they will not be receiving DNS Notify
>> announcements from you as to changes. Further, since that name
>> server actually has a copy of your zone, TTL will not expire
>> out cached entries on that server.
I don't think this is a strong enough justification for restricting
zone transfers either, even though keeping an eye on stealth and slave
servers is a Good Thing. What if the remote name server was configured
to be authoritative for a completely bogus version of your zone? The
effect's the same - that name server is telling lies about your domain
- no matter what you're doing to control who's allowed to perform zone
transfers.
More information about the bind-users
mailing list