Mark Foster writes: > Also, allowing axfr on a large zone is proportionately more > problematic with regard to loss of bandwidth in the event of DOS > attack.
I wouldn't take that particular problem too seriously (loss of bandwidth in the event of DoS attack due to AXFRs). When your servers are under DoS, then the bandwidth expended on AXFRs will decrease quickly - that's a benefit of using TCP for AXFRs. Unless you have very many AXFRs going on in parallel - and that in itself is a more serious risk, because every TCP connection takes up resources in the server, and at some point it won't be able to handle AXFRs to/from its actual slaves/masters. Regards, -- Simon. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
