Unapproved AXFR?
Olmy
olmy at thistledown.org
Tue Dec 14 21:24:28 UTC 1999
>
> I don't think this is a strong enough justification for restricting
> zone transfers either, even though keeping an eye on stealth and slave
> servers is a Good Thing. What if the remote name server was configured
> to be authoritative for a completely bogus version of your zone? The
> effect's the same - that name server is telling lies about your domain
> - no matter what you're doing to control who's allowed to perform zone
> transfers.
>
Agreed. There's nothing in allow-transfer that would prevent that. If you
interpret the act of someone setting up a bogus master for your zone
as a malicious act, my admittedly rather bizarre "what if?" is not
reason in and of itself to employ allow-transfer options.
However, deliberate bogus masters or deliberate shadow slaves for the
purpose of dns cache poisoning is not the sole possible instance of the
example I described.
You could also make an argument for this situation arising out of
operator error, typo, or ignorance. I think the latter cases are more
likely than a malevolent dns administrator wanting to re-direct traffic.
Anyway, it's been an interesting discussion, regardless.
cheers,
jeff
More information about the bind-users
mailing list