[nsd-users] Unsecured zone transfers and open resolvers

Arnt Gulbrandsen arnt at gulbrandsen.priv.no
Thu Jul 19 08:17:24 UTC 2012

On 07/18/2012 10:16 PM, Valentin Bud wrote:
> This led me to the conclusion that the sys admins don't pay enough
> attention or don't really know or understand DNS technology.

Here's a list of what you get when you restrain zone transfers:

  - security through obscurity
  - somewhat lighter load (on ram, cpu or network)
  - a headache when some fool moves a server late on Friday

Add it up for yourself. Is the risk of running out of RAM bigger than 
the risk of someone reorganizing services and getting the ACLs wrong? Is 
security through obscurity something mildly desirable or something you 
want to avoid?


More information about the nsd-users mailing list