[nsd-users] Unsecured zone transfers and open resolvers

Dmitry Kohmanyuk dk at hostmaster.ua
Thu Jul 19 12:17:19 UTC 2012

On Jul 19, 2012, at 11:17 AM, Arnt Gulbrandsen wrote:

> On 07/18/2012 10:16 PM, Valentin Bud wrote:
>> This led me to the conclusion that the sys admins don't pay enough
>> attention or don't really know or understand DNS technology.

It can be by omission, or by decision.  There is a difference between corporate domain and TLD or hosting company approaches.

> Here's a list of what you get when you restrain zone transfers:
> - security through obscurity
> - somewhat lighter load (on ram, cpu or network)
> - a headache when some fool moves a server late on Friday

the latter is mitigated by using TSIG keys for all transfers (highly recommended) or perhaps IP network ACLs (so if DNS slave address
changes "slightly" it would still work.)

> Add it up for yourself. Is the risk of running out of RAM bigger than the risk of someone reorganizing services and getting the ACLs wrong? Is security through obscurity something mildly desirable or something you want to avoid?

obscurity is *not* security.

DNSSEC was designed with NXT (renamed to NSEC) RR type.  Only much later NSEC3 type was added. 
Root zone uses NSEC so they can as well allow AXFR.

By the way, even with NSEC3 one can still find out which RR types a name uses (cannot be obscured.)

More information about the nsd-users mailing list