[Pdns-dev] allow-axfr-ips

Norbert Sendetzky norbert at linuxnetworks.de
Mon Aug 4 12:12:20 CEST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Bert

I've attached a patch to adept the description of allow-axfr-ips to 
the new behaviour.

Furthermore I've seen that for disable-axfr two options are defined:
- - arg().set("disable-axfr","Do not allow zone transfers")="no";
- - arg().setSwitch("disable-axfr","Disable zonetransfers but do allow 
TCP queries")="no";
Why?

Shouldn't we either set disable-axfr=yes or set 
allow-axfr-ips=127.0.0.1 by default for security reasons? Maybe 
somebody could use AXFR requests of large zone to produce denial of 
service attacks.


Norbert

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj8uI3QACgkQxMLs5v5/7eCQjwCgpSL7KF3wtlLtK+k0kWeqQ9R9
HsQAniMUyvGhmOoRZYK32rhUrLQYzYMj
=v9ZH
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: allow_axfr_ips.diff
Type: text/x-diff
Size: 738 bytes
Desc: not available
Url : http://mailman.powerdns.com/pipermail/pdns-dev/attachments/20030804/c8c21641/allow_axfr_ips.bin


More information about the Pdns-dev mailing list