[Owasp-leaders] Zone transfer

Rory McCune rorym at nmrconsult.net
Thu Apr 8 05:00:22 EDT 2010


On Thu, Apr 8, 2010 at 9:49 AM, OWASP Geneva Chapter
<antonio.fontes at owasp.org> wrote:
> On 8 April 2010 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no> wrote:
>> Hi
>> I see this message popping up from time to time on twitter, that owasp.org
>> is vulnerable to zone transfer.
>> I guess that’s something we want to fix.
>> “RT @maxisoler: +1 WTF?! RT: @Jabra: Wtf owasp.org is still vulnerable to
>> zone transfer!”
>> Erlend
>
> Hi Leaders,
>
> The initial security requirement dictates that zone content disclosure
> should be restricted in order to reduce the risk of hidden/internal
> hosts disclosure (which we could even argue it's a "security by
> obfuscation" practice).
>
> Keeping it open might also mean we did our work correctly, applied
> basic risk assessment, and stick to our "openness" principle.
>
> (okay okay, devil's advocate now heading towards the exit door)
>
> Antonio
>
I'd agree in that there shouldn't be "private" information available
in public DNS as there are other ways (eg, DNS brute-force) to get
access to that kind of information.

That said, from a PR perspective, it may not look good for us to have
something present in our security posture which is generally
considered a "bad thing", so probably worth changing...

my 0.02 of local currency.

cheers

Rory


More information about the OWASP-Leaders mailing list