Re: debian.org DNSs allow unrestricted zone transfers

To: Abel Martín <abel.martin.ruiz@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: debian.org DNSs allow unrestricted zone transfers
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Wed, 16 May 2007 10:57:38 -0300
Message-id: <20070516135738.GD13063@khazad-dum.debian.net>
In-reply-to: <915136920705150456u29311c79ra4aa91237f067f9d@mail.gmail.com>
References: <915136920705150456u29311c79ra4aa91237f067f9d@mail.gmail.com>

On Tue, 15 May 2007, Abel Martín wrote:
> I thought zone transfers should only be possible between DNSs which
> have records for the same domain, so why are debian.org DNSs (raff,

Only if you have a reason to hide who is in your domain.

> possibility of suffering DoS attacks (it serves 254 records). Is there
> an explanation for this?

Well, I am not sure about the DoS possibilities, but I take advantage of the
fact that it allows zone tranfers to have a local mirror of @d.o in my bind
resolver.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

References:
- debian.org DNSs allow unrestricted zone transfers
  - From: "Abel Martín" <abel.martin.ruiz@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 1292-1] New qt4-x11 packages fix cross-site scripting vulnerability
Next by Date: Re: [SECURITY] [DSA 1291-1] New samba packages fix multiple vulnerabilities
Previous by thread: Re: debian.org DNSs allow unrestricted zone transfers
Next by thread: Re: [SECURITY] [DSA 1291-1] New samba packages fix multiple vulnerabilities
Index(es):
- Date
- Thread