[nsd-users] Unsecured zone transfers and open resolvers
Shane Kerr
shane at isc.org
Thu Jul 19 09:50:10 UTC 2012
Valentin,
On Wednesday, 2012-07-18 23:16:16 +0300,
Valentin Bud <valentin at databus.ro> wrote:
>
> I have encountered in my DNS studies a few name servers that let you
> transfer zones they are authoritative for.
> Do you consider the above as being a security vulnerability?
I do not. I find the various recommendations on "securing a DNS server"
to be largely unnecessary.
I leave all of my zones open for AXFR. I also sign my zones with NSEC
rather than NSEC3. I leave version.bind enabled on my hosts.
As far as I know none of this has caused any security problems.
Then again, I use Facebook and Google, and put my e-mail address on my
web page, so I'm not very careful about keeping information private.
YMMV.
--
Shane
More information about the nsd-users
mailing list