[Owasp-leaders] Zone transfer

Rogan Dawes rogan at dawes.za.net
Fri Apr 9 17:01:04 EDT 2010


On 2010/04/09 9:12 PM, Ralph Durkee wrote:
> I think the main risk comes not so much from the zone transfers, but if
> they don't seem to understand the need to implement minimal features and
> least privileged then what else is it they may not be understanding or
> may not be doing.  Did the ISP provide a reason why zone transfers need
> to be wide open for the OWASP domain?  
> 
> -- Ralph

The only valid reason to allow zone transfers is to allow secondary NS
to obtain updates from the primary NS.

Now, if you don't know who all the secondary NS are, then "allowing all"
is the only way to maintain a functional NS infrastructure (other than
making all NS primary rather than secondary, that is).

Basically, if the Primary NS provider is not also providing secondary
NS, then they pretty much HAVE to allow zone transfers.

Seriously, though, I'm amazed that there is all this action on a stupid
(really stupid) (not even) "vulnerability", when a real problem that
OWASP SHOULD do something about is flying under the radar - namely the
Google search being done over non-SSL even for SSL pages, leading to a
"mixed secure/non-secure content" warning, as highlighted by Ivan Ristic
on twitter not too long ago (although I seem to recall raising it with
Larry about a year or two ago?).

Rogan

> 
> Laurence Casey wrote:
>>
>> I agree entirely on the reason for not allowing zone transfers. BUT……
>> Allowing them in itself is not a “Security Risk”. It is how people use
>> DNS that becomes the risk. Just a blanket statement of not allowing
>> them is no justification for considering a site insecure.
>>
>> Agree, not knowing of a compromise is irrelevant. Rephrase- What
>> compromise would have occurred? Nothing sensitive has ever been in our
>> DNS. And as long as I am in control of the DNS records, nothing will
>> ever be. I can guarantee that.
>>
>> All that and, if it were my DNS servers, I would not allow it just so
>> people can’t tell me this same information. I’m still not seeing the
>> vulnerability here, but I would be happy to take up Ralph’s offer for
>> a DNS server that does not allow zone transfers.
>>
>> --Larry



More information about the OWASP-Leaders mailing list