[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: axfr-clarify supporting unauthorized users

To: namedroppers@ops.ietf.org
Subject: Re: axfr-clarify supporting unauthorized users
From: "D. J. Bernstein" <djb@cr.yp.to>
Date: 30 Nov 2002 18:48:03 -0000
Automatic-legal-notices: See http://cr.yp.to/mailcopyright.html.
References: <20021129180339.70455.qmail@cr.yp.to> <200211292155.gATLtKgU027672@drugs.dv.isc.org>

[ post by non-subscriber.  with the massive amount of spam, it is easy to miss
  and therefore delete posts by non-subscribers.  your subscription address is
  54830374684695-namedroppers@sublist.cr.yp.to, please post from it or, if you
  wish to regularly post from an address that is not subscribed to this
  mailing list, send a message to namedroppers-owner@ops.ietf.org and ask to
  have the alternate address added to the list of addresses from which
  submissions are automatically accepted. ]

Mark.Andrews@isc.org writes:
> "Does your server meet RFC 1034 and return REFUSED under these conditions?"

Have you stopped beating your wife, Mark?

It is entirely up to the primary to decide who the secondaries are. RFC
1034 imposes no constraints on this decision. A non-secondary asking for
AXFR is violating the protocol (specifically, the text that you quoted),
and has no right to a response.

> I suspect that the DNS admistators of most ISP curse your stupid decision
> when trying to setup secondary service for one of their customers who
> is using your servers but forgot to adjust the access controls.

Funny how nobody has ever complained about that.

Maybe this is because step 3 of my upgrade-from-BIND instructions tells
people to authorize zone transfers from their third-party servers. Or
maybe it's because nobody actually gives a damn whether the AXFR client
prints useless error message #1 or useless error message #2---all the
useful information is on the server side.

Next, I suppose, you're going to demand that everybody have BIND-style
promiscuous defaults, so that users who ``forgot to adjust the access
controls'' don't have to be bothered fixing their configurations.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: axfr-clarify supporting unauthorized users
  - From: Mark.Andrews@isc.org
- Re: axfr-clarify supporting unauthorized users
  - From: Mark.Andrews@isc.org

References:
- Re: axfr-clarify supporting unauthorized users
  - From: "D. J. Bernstein" <djb@cr.yp.to>
- Re: axfr-clarify supporting unauthorized users
  - From: Mark.Andrews@isc.org

Prev by Date: Re: careless protocol extensions
Next by Date: Re: in support of axfr-clarify
Previous by thread: Re: axfr-clarify supporting unauthorized users
Next by thread: Re: axfr-clarify supporting unauthorized users
Index(es):
- Date
- Thread