Unapproved AXFR?
Barry Margolin
barmar at bbnplanet.com
Tue Dec 14 17:09:46 UTC 1999
Date: Tue, 14 Dec 1999 17:03:43 +0000
From: Jim Reid <jim at rfc1035.com>
>>>>> "Barry" == Barry Margolin <barmar at bbnplanet.com> writes:
Barry> If you name machines after users, projects, etc. then zone
Barry> transfers can divulge proprietary information. Most
Barry> companies have a policy that the employee directory can't
Barry> be distributed to outsiders; if the DNS database is almost
Barry> equivalent, it makes sense not to distribute it, either.
True. But that's why most large organisations use split DNS so that
their public face can be kept discrete (and discreet!) from whatever
they do internally. The non-sensitive data can go on the outside and
the company-confidential stuff stays on the inside. This is a policy
issue anyway. It's not support for a technical argument in facour of
restricting zone transfers. If data is supposed to be private, it
shouldn't be in a public data service like the DNS!
I never said it was the only solution. It's a popular, simple solution.
--
Barry Margolin, barmar at bbnplanet.com
GTE Internetworking, Powered by BBN, Burlington, MA
More information about the bind-users
mailing list