To:
Robert Martin-Legene <robert@dk-hostmaster.dk>
Cc:
Zefram <zefram@fysh.org>, dnsop@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Fri, 19 Sep 2003 10:16:09 +0200
Content-Disposition:
inline
In-Reply-To:
<Pine.GSO.4.33.0309181742350.16621-100000@silent.dkhm>
Mail-Followup-To:
Robert Martin-Legene <robert@dk-hostmaster.dk>,Zefram <zefram@fysh.org>, dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
Re: delegation-only ineffective
[On 18 Sep, @17:47, Robert wrote in "Re: delegation-only ineffectiv ..."]
> > be public. (Yes, I know, I'm an idealist.) If a formal requirement for
> > independent entities to be able to serve the zone prevents this kind of
> > secrecy, that'd be a nice bonus.
>
> I think the major reason that registries are blocking AXFR, is because it
> has become too common that people abuse the information that obtain from
> it.
>
> I'm thinking if that isn't also a little bit of the reason why DNSSEC
> hasn't been deployed (in any TLDs?).
well, that is not entirely true... you can do a nxt-walk very easily. You can
also block such walks very easily. Just rate limit the amount of nxt-queries
per IP.
This is the same as the privicy issues concerning whois queries. Some registries
are also rate limiting that. Which is not 100% secure, but it adds another barrier,
grtz Miek
--
NLnet Labs
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.