ZXFR

Derek J. Balling dredd at megacity.org
Wed Nov 8 22:14:28 UTC 2000 

<sarcasm>
semantics, to be sure. certainly disabling them is a form of limiting them.
</sarcasm>

;-)

D


At 5:05 PM -0500 11/8/00, dave.goldsmith at intelsat.int wrote:
>You CAN'T "limit" zone transfers (by editing the named.conf file)
>
>But you CAN "disable" zone transfers (by editing the named.conf file or by
>modifying the code to remove support for ZXFR).
>
>Would not DISABLE seem to be more inclusive than LIMIT???
>
>Dave
>
>-----Original Message-----
>From: Security, Network [mailto:Network.Security at OCIOFC.USDA.GOV]
>Sent: Wednesday, November 08, 2000 3:25 PM
>To: 'Shawn_Evans at oxy.com'
>Cc: 'bind-users at isc.org'
>Subject: RE: ZXFR
>
>
>i realize that limiting zone x-fers would also be an answer but we cannot
>implement this right away...don't ask why...it would take to long to
>explain...what i want to do is disable ZXFR's altogether
>-- qarl
>
>-----Original Message-----
>From: Shawn_Evans at oxy.com [mailto:Shawn_Evans at oxy.com]
>Sent: Wednesday, November 08, 2000 1:11 PM
>To: bind-users at isc.org
>Subject: RE: ZXFR
>
>
>
>
>In your named.conf file, in the options sections, to make the change
>globaly.. add;
>
>options {
>       allow-transfer { 1.2.3/24; };
>};
>
>where 1.2.3/24 is the IP range you want to have the ability to make zone
>transfers.
>
>See DNS & BIND, 3rd Edition pg. 252 for further details.
>
>
>---
>-   Shawn L. Evans, mailto:shawn_evans at oxy.com   -
>-  Phone: 1-918-610-1897 Mobile: 1-918-361-7601  -
>-      Text Page: 8008056238 at airmessage.net      -
>-             Pager:  1-800-805-6238             -
>
>
>-----Original Message-----
>From: Security, Network [mailto:Network.Security at OCIOFC.USDA.GOV]
>Sent: Wednesday, November 08, 2000 1:15 PM
>To: 'bind-users at isc.org'
>Subject: ZXFR
>
>
>alright with this new DoS against 8.2.2P5 with the ZXFR option enabled i am
>poking around trying to figure out how to disable it, sorry if this seems
>like a trivial question...i still get lost in source code. anyway i did NOT
>manually enable it, yet the DoS still works on my Solaris 8 machine. so if
>anyone could tell me where to go to disable this option it would be
>appreciated.
>-- qarl

More information about the bind-users mailing list