On Wed, Dec 10, 2003 at 12:30:14AM +0100, Mans Nilsson wrote: > I appreciate the work, and am pleased to see that many zones I'm > involved in serving are scored high. But: > > Allowing zone transfers is, in my humble opinion, not a problem. > Blocking them is done for two reasons; either performance or paranoia. > Cases where there are performance problems are very rare. Paranoia > is, sadly enough, much more common. This particular paranoia is > more often known (and mildly detested) as "security by obscurity".
Yes I suppose this could go either way. My concern is for those operators that are unwittingly allowing them, not folks like yourself. Also, allowing axfr on a large zone is proportionately more problematic with regard to loss of bandwidth in the event of DOS attack. > While it is mentioned in a column, I'd be more interested in finding > the recursers, because there lies a real problem, mainly through > cache poisoning attacks and more complex server code being active. If you check out http://www.credentia.cc/research/cctlds/ you will see the rolling checks done at 2,6,10,14,18,22 Pacific Time. The recursion warnings can be more easily found there. -- Some days it's just not worth chewing through the restraints... Mark Foster <[EMAIL PROTECTED]> http://mark.foster.cc/ . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
