NSEC3 support for BIND
Mark Andrews
Mark_Andrews at isc.org
Sat Nov 10 18:56:48 UTC 2007
> On Fri, Nov 09, 2007 at 09:36:50PM +1100,
> Mark Andrews <Mark_Andrews at isc.org> wrote
> a message of 50 lines which said:
>
> > In 15 years I've yet to have a zone when stopping enumeration was
> > critical to the use of that zone. I've had zones where it was a
> > nice thing to do but given the choice between publishing and
> > enunmeration, publishing would will out everytime.
>
> Then, why most sites do not allow AXFR? isc.org, for instance ;-)
Because of a myth that it will protect them. Herd mentality
"everyone else is doing it so it must be good".
The theory was that a lot of axfr would overload you system, therefore
we must prevent axfr. In reality nobody wants to axfr zones. It's
a percieved threat, not a real threat. There are very few zones
people are interested enough in for there to be enough axfr traffic
to matter.
The other myth that preventing access to the hostnames will somehow
make your systems safer. In reality attackers don't need that
information and additionally most sites leak host name information.
We can all dream up a senario where it would "help". In reality the
chances of any of those senarios eventuating is negligible.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list