So here is Bill's point: Its public data. If it ain't public, don't
put it in the public data base. If it is in the public database, don't
expect it to stay private.
I can agree with that. I also agree I would make a best effort stab at
limiting zone transfers. As Bill pointed out, I just wouldn't expect
that no one except those people I think should get the zone would be the
only ones to get the zone.
Hattie Rouge
> -----Original Message-----
> From: bind9-users-bounce@xxxxxxx
> [mailto:bind9-users-bounce@xxxxxxx] On Behalf Of Bill Manning
> Sent: Tuesday, May 27, 2003 1:13 PM
> To: Pavel Urban
> Cc: bind9-users@xxxxxxx; bmanning@xxxxxxx
> Subject: Re: zone transfers: allow anyone (fwd)
>
>
> % > no, i presume that some kind soul has created the one
> % > line of perl and that it has been integrated into a
> % > "point/click" GUI that your ASK will download and use.
> %
> % Please, could you be more specific? How do you want to get
> a list of
> % hosts from DNS when you are not allowed to get it and don't
> know the
> % names of machines? Are you going to generate every possible
> string? Just
> % curious...
>
> yes.
>
> % > operationally, you now have to keep up with the list of
> % > "valid" servers that are allowed to xfer zones. whats
> % > one more "tiny, wafer-thin" special execption list to
> % > track? :)
> %
> % Our slaves and our TLD registrar. Who else should be allowed?
>
> the contractors for your TLD registrar, the registry, the
> customers of the TLD who are allowed to contractually xfr
> any data they have, DNS researchers, anyone who operates
> a caching nameserver, the list goes on and on...
>
>
> % > % You are absolutely correct, it is a public, hostile
> database. And when % > % you operate in hostile environs,
> you take every measure you can to % > % protect yourself, or
> your data, in this case. % >
> % > but its not your data... its public data. your job is to
> % > ensure that folks on the net have access to it.
> %
> % That's like some spammer said 'email addresses are just
> public data, why
> % is it that I cannot send you my ads?' Publishing this data has some
> % meaning. It should serve people to reach my servers,
> nothing more. I
> % don't want to tell that we have several www servers for
> testing that
> % should be visible from outside, for example.
>
> if data in the DNS is queriable, its public. If you don't want
> it public, don't put it in the DNS (as seen by the Internet)
> email addresses are not public data. there is no analogy to
> DNS data storage, replication and publication.
>
>
> --bill
> Opinions expressed may not even be mine by the time you read
> them, and certainly don't reflect those of any other entity
> (legal or otherwise).
>
|
