[Owasp-leaders] Zone transfer

Laurence Casey larry.casey at owasp.org
Fri Apr 9 20:36:33 EDT 2010

Thanks for your input on DNS Rogan. 

The Google search has been fixed and broken so many times, you probably just
missed when it was working correctly. I did some custom coding to handle the
ssl problem that didn't make it to the upgraded mediawiki. All the code did
was make externally loaded content that does not support connections over
ssl available. Other than being an annoyance, I don't really care if my
searches through Google are secure since everything there is public.


-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Rogan Dawes
Sent: Friday, April 09, 2010 5:01 PM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Zone transfer

On 2010/04/09 9:12 PM, Ralph Durkee wrote:
> I think the main risk comes not so much from the zone transfers, but if
> they don't seem to understand the need to implement minimal features and
> least privileged then what else is it they may not be understanding or
> may not be doing.  Did the ISP provide a reason why zone transfers need
> to be wide open for the OWASP domain?  
> -- Ralph

The only valid reason to allow zone transfers is to allow secondary NS
to obtain updates from the primary NS.

Now, if you don't know who all the secondary NS are, then "allowing all"
is the only way to maintain a functional NS infrastructure (other than
making all NS primary rather than secondary, that is).

Basically, if the Primary NS provider is not also providing secondary
NS, then they pretty much HAVE to allow zone transfers.

Seriously, though, I'm amazed that there is all this action on a stupid
(really stupid) (not even) "vulnerability", when a real problem that
OWASP SHOULD do something about is flying under the radar - namely the
Google search being done over non-SSL even for SSL pages, leading to a
"mixed secure/non-secure content" warning, as highlighted by Ivan Ristic
on twitter not too long ago (although I seem to recall raising it with
Larry about a year or two ago?).


> Laurence Casey wrote:
>> I agree entirely on the reason for not allowing zone transfers. BUT..
>> Allowing them in itself is not a "Security Risk". It is how people use
>> DNS that becomes the risk. Just a blanket statement of not allowing
>> them is no justification for considering a site insecure.
>> Agree, not knowing of a compromise is irrelevant. Rephrase- What
>> compromise would have occurred? Nothing sensitive has ever been in our
>> DNS. And as long as I am in control of the DNS records, nothing will
>> ever be. I can guarantee that.
>> All that and, if it were my DNS servers, I would not allow it just so
>> people can't tell me this same information. I'm still not seeing the
>> vulnerability here, but I would be happy to take up Ralph's offer for
>> a DNS server that does not allow zone transfers.
>> --Larry

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org

More information about the OWASP-Leaders mailing list