Greetings Kevin,
Thu, 14 Aug 2008 16:47:02 -0400 Kevin Darcy wrote: [...] >> I also recommend you to restrict the AXFR queries. >> >> > Why? It's public information, and as you yourself have just > demonstrated, leaving zone transfers open is useful for > troubleshooting. Well, though the publicity of DNS data seems to be a good reason to expose it, but not for everyone and in every case. I think that the DNS administrators should decide whether to disclose the [sometimes] sensitive zone data or not by "for whom how" basis. Let's imagine that your zone has some RRs for the Windows PCs, DCs, print servers, lab equipment etc. I don't consider that conscientious or evil strangers just like me and you need to know much about this private stuff. > Please don't fall victim to the Security paranoid tunnel vision that > says we should restrict all information as much as possible, without > any thought given to direct consequences and ripple effects. Take > that kind of wrong thinking to its logical conclusion, and we > shouldn't be using DNS at all (since names expose "too much > information" about our conventions, our thinking patterns, our > language, our culture, etc.). No, I'm not a paranoid nor I support the well-known and dubious principle "security through obscurity". Thanks for your point of view. P.S. [EMAIL PROTECTED] ~]$ dig @ns-12.extra.daimlerchrysler.com. chrysler.com. axfr ; <<>> DiG 9.5.0-P1 <<>> @ns-12.extra.daimlerchrysler.com. chrysler.com. axfr ; (1 server found) ;; global options: printcmd ; Transfer failed. ;) -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/
