Re: Full zone information disclosure on top level domain name servers

[Jim Reid <jim () rfc1035 com>]

> > > > > "Mans" == =?ISO-8859-1?Q?M=E5ns Nilsson?= <ISO-8859-1> writes:

    >> Many of top level domain (TLD) DNS servers do not implement any
    >> restrictions on AXFR query.

    Mans> And this is not a problem from an information disclosure
    Mans> point of view. If you believe you have a security problem
    Mans> when AXFR is possible for a given zone, you obviously have a
    Mans> very serious security problem in the rest of your systems
    Mans> since you so desperately need to hide them.

Indeed. And you have an even bigger security problem if you think that
preventing zone transfers will deny access to data that's entered into
the public DNS. This approach isn't even a credible attempt at
security by obscurity, which we should all realise is no security at
all. It's fuzzy and misplaced feeling of security though half-hearted
and ineffective obscurity.

BTW, many TLD registries restrict zone transfers for reasons other
than the operational ones Mans mentioned. For example, it reduces
cybersquatting by stupid/evil people who would like to have a copy of
the TLD zone file to see what domain names they can register. EU data
protection legislation is another.