Unapproved AXFR?

[Olmy]

> So - I'm still looking for technical reasons. If the general
> conclusion is "there doesn't seem to be any", that is fine, because
> then I know what I'm dealing with. _MY_ paranoia is "Have I missed a
> technical reason?". :-) :-)

Since this thread is considering the traditional security concerns of 
allowing transers as an administrative concern, rather than a technical
one, I'll throw this out as a possible technical concern:


Let's assume for a moment that, by allowing zone transfers, there will 
eventually be one or more name servers that have, in fact, transfered 
one or more of your authoritative zones. Since you haven't configured that
zone with associated NS entries for the server in question, they will not
be receiving DNS Notify announcements from you as to changes. Further, since
that name server actually has a copy of your zone, TTL will not expire out
cached entries on that server.

By this time, you no longer have any control over how current the
information is that is being hosted for YOUR zone on that server.
They may continue to transfer up to date information, they may not.   
There's no reason to assume malice, it might just be oversight or 
ignorance. But this might be an ISP's name server that thousands or 
tens of thousands of users use: possibly with stale and out-of-date 
information that you can't really do much about.

Let me know if I missed anything, but this would seem like a valid 
technical concern.

regards,

jeff


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: RN7/dw97SSxgWUT2asyiONlPRzbOe0JQ

iQCVAwUANofqRKxB/KiL2JNNAQEwxwP/VJQamtcDOlt9h3fQ9KqyuiBzBKcXQQMo
Fahl3o4HjqI1qh5mv5Mac1G0YKJp+rkhp64GOKG6jDu46aPIgZ9xTc204wQ+wLyO
mqw8/EEc3PKtGM57vPkkVJraxHZMdZV45wMnno21Gx03k+d7MWbpd85tjYhrXMFJ
TwUCFSAG8/4=
=TRCD
-----END PGP SIGNATURE-----