To:
Robert Martin-Legene <robert@dk-hostmaster.dk>
Cc:
Zefram <zefram@fysh.org>, dnsop@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Fri, 19 Sep 2003 10:16:09 +0200
Content-Disposition:
inline
In-Reply-To:
<Pine.GSO.4.33.0309181742350.16621-100000@silent.dkhm>
Mail-Followup-To:
Robert Martin-Legene <robert@dk-hostmaster.dk>,Zefram <zefram@fysh.org>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: delegation-only ineffective
[On 18 Sep, @17:47, Robert wrote in "Re: delegation-only ineffectiv ..."] > > be public. (Yes, I know, I'm an idealist.) If a formal requirement for > > independent entities to be able to serve the zone prevents this kind of > > secrecy, that'd be a nice bonus. > > I think the major reason that registries are blocking AXFR, is because it > has become too common that people abuse the information that obtain from > it. > > I'm thinking if that isn't also a little bit of the reason why DNSSEC > hasn't been deployed (in any TLDs?). well, that is not entirely true... you can do a nxt-walk very easily. You can also block such walks very easily. Just rate limit the amount of nxt-queries per IP. This is the same as the privicy issues concerning whois queries. Some registries are also rate limiting that. Which is not 100% secure, but it adds another barrier, grtz Miek -- NLnet Labs #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.