Res wrote:
On Mon, 17 Nov 2008, Jefferson Ogata wrote:
On 2008-11-17 14:25, Holger Honert wrote:
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your zone(s)?
I couldn't care less. If the security of my systems were the least bit
dependent on keeping DNS records secret, I would kinda suck as an admin,
wouldn't I?
does your employer know this is your attitude? he/she might take a
different stand :) I know you'd no longer be working for me, if that
was your take on how things should be.
Sounds like a veiled threat, and, if so, highly inappropriate.
As stated before, this is a decision that needs to be made by each
organization, according to an *intelligent* and *informed* consideration
of the risks, benefits and drawbacks. In my experience, most security
"experts" (either self-proclaimed or possessing some
ultimately-meaningless piece of paper that designates them as such) are
ignorant of DNS and need to be brought up to speed. DNS admins, on the
other hand, generally need to be more sensitive to different security
contexts and requirements. They can meet in the middle and come up with
an appropriate solution.
Any blanket rule of "always restrict zone transfers" is foolish, as
would be a blanket rule of "always leave zone transfers completely open".
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
