[nsd-users] Unsecured zone transfers and open resolvers

Shane Kerr shane at isc.org
Thu Jul 19 09:50:10 UTC 2012


On Wednesday, 2012-07-18 23:16:16 +0300, 
Valentin Bud <valentin at databus.ro> wrote:
> I have encountered in my DNS studies a few name servers that let you 
> transfer zones they are authoritative for.

> Do you consider the above as being a security vulnerability?

I do not. I find the various recommendations on "securing a DNS server"
to be largely unnecessary.

I leave all of my zones open for AXFR. I also sign my zones with NSEC
rather than NSEC3. I leave version.bind enabled on my hosts.

As far as I know none of this has caused any security problems.

Then again, I use Facebook and Google, and put my e-mail address on my
web page, so I'm not very careful about keeping information private.


More information about the nsd-users mailing list