[nsd-users] Unsecured zone transfers and open resolvers

Valentin Bud valentin at databus.ro
Fri Jul 20 07:27:59 UTC 2012

On 7/19/12 10:46 AM, Jan-Piet Mens wrote:
>> I have encountered in my DNS studies a few name servers that let you
>> transfer zones they are authoritative for.
> A number of TLD operators offer AXFR for their zones on purpose (e.g.
>          dig @xfr.lax.dns.icann.org . axfr
I am aware of that. But that's just one, you said that there are a 
number of TLDs. Which are the other ones? I am curios. Why don't TLDs 
like .com or .net or .de offer AXFR for their zones. I guess that . 
offers it for improvement of the infrastructure as a whole. As FreeBSD's 
BIND states
         "Slaving the following zones (., arpa) from the root name 
servers has some
         significant advantages:
         1. Faster local resolution for your users
         2. No spurious traffic will be sent from your network to the roots
         3. Greater resilience to any potential root server failure/DDoS"

And to answer my question about AXFR from .com TLD. I guess they don't 
do it because that would burden their servers and a lot of AXFRs would 
lead to DoS.
>> This led me to the conclusion that
>> the sys admins don't pay enough attention or don't really know or
>> understand DNS technology.
> They do. Really. :)
I don't a strong argument against this so I agree with you for now. As I 
have said I don't mean to offend anyone. Although I have a real scenario 
in mind. A guy that works for a local University dealing with PR and 
other stuff is in charge of the DNS server for a specific department. 
The guy is smart but for sure it doesn't *really* understand DNS 
technology. And that's not offense, he knows that too. In my name space 
this kind of scenarios are easy to find.

Thank you very much for your thoughts JP.

Cheers and Goodwill,
Valentin Bud

More information about the nsd-users mailing list