Unapproved AXFR?

[Barry Margolin]

In article <199912131759.JAA13888 at zed.isi.edu>,
Bill Manning  <bmanning at ISI.EDU> wrote:
>% An analogy:  a house has deadbolts and a monitored
>% security system, whereas another has no security system and is left
>% unlocked.  Sure, if someone wanted to they could break into *either* house,
>% but the second one is a lot easier.  If the rewards are the same, which
>% house would be broken into?
>% 
>% I know this isn't the black/white answer you are looking for...
>% 
>% Greg
>
>	I wouldn't think the rewards are the same. 

Right.  Which is easier, picking a padlock you can buy at any hardware
store, or a safe at a bank?  Which is likely to be more lucrative if you
succeed?  And which of the above two houses is more likely to have valuable
furs and jewelry in it?

However, the analogy with blocking zone transfers isn't that good.  The
difference is that a fancy home security system is expensive -- the value
of the property it protects should be more than the cost of the system.
But adding "allow-transfer" to your named.conf file costs practically
nothing.  You don't need a good reason to do it; simple paranoia is
sufficient.  The only downside is if you screw it up, since it could
prevent your authorized slave servers from transfering the zone.

Lots of computer "security" measures are in place simply because they
correspond to items in common checklists, not because the site has made a
conscious decision that they protect something valuable.  Many sites adhere
to the conservative policy of blocking anything they're not sure about, and
only allowing things through that they know are OK.

-- 
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.