[bind9] allow transfer, nameserver-only?
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jan 30 22:29:25 UTC 2006
Helmut Schneider wrote:
>Danny Mayer (mayer at gis.net) wrote:
>
>
>>Helmut Schneider wrote:
>>
>>
>>>Barry Margolin (barmar at alum.mit.edu) wrote:
>>>
>>>
>>>>In article <drddrq$2l1p$1 at sf1.isc.org>,
>>>>"Helmut Schneider" <jumper99 at gmx.de> wrote:
>>>>
>>>>
>>>>
>>>>>is it possible to define that a zone transfer is only allowed for NS
>>>>>records of the according zone file?
>>>>>
>>>>>
>>>>I don't think BIND has such an option. Some other DNS implementations
>>>>use the NS records as their default "allow-transfer" access list.
>>>>
>>>>
>>>Yes, Windows DNS does and I hoped that bind has such an option, too.
>>>
>>>
>>>
>>You can restrict transfer of any zone to any list of addresses with the
>>allow-transfer option. It's up to you to specify what you want in there.
>>
>>
>
>I do have ACLs for that but if you maintain a list of zones where the
>secondaries are spread over a number of providers it is no fun to delegate
>zone transfer for each zone.
>
<soapbox on>
Why limit transfers at all? This is one of those "conventional wisdom"
good-security-practice kind of things that actually doesn't make a whole
lot of sense. Yes, in *theory*, there is a DoS potential in leaving zone
transfers open, but the script kiddies seem to prefer more exotic forms
of DoS, and in any case, decent IDS/IPS systems do non-DNS-specific
rate-limiting/shunning by IP anyway. As for "hiding" certain resource
records with "special" names (e.g. crypto-hashes or whatever) in your
zone files, I would question such a practice from a design standpoint
anyway. DNS is probably not the appropriate mechanism to use for that
kind of thing.
Leaving zone transfers open gives everyone the flexibility to re-address
off-site slaves (TSIG can theoretically be used to manage this, but many
folks are ignorant about TSIG and how to use it, plus key management can
be a pain), for partners to set up stealth slaves as desired (just don't
expect any NOTIFYs from me, unless you let me know and I agree to it and
implement it via also-notify), easy transfers of data if we should
outsource part of our DNS hosting, or to facilitate some kind soul in
troubleshooting a data/delegation problem in one of my zones
(hypothetically, of course, since my zones are always perfect :-). Seems
to me the maintainability and supportability issues here outweigh the
(questionable, arguable) security benefits. Of course, it's rare for
someone to get fired for insisting on *too*much* security, so I guess
there's an inexorable ratchet-effect towards more and more
restrictiveness, even where it doesn't make sense. Sigh...
<soapbox off>
- Kevin
More information about the bind-users
mailing list