[Owasp-leaders] Zone transfer

Rogan Dawes rogan at dawes.za.net
Wed Jun 9 08:28:58 EDT 2010

On 2010/06/09 2:26 PM, Victor Chapela wrote:
> I agree completely with promoting proper risk management.
> I suggest we add three or four A records to the DNS, that when
> transfered, state this point. These records could be:
> "zone-transfers-intentionally-left-on",
> "our-DNS-information-has-been-classified-as-public",
> "the-risk-of-sharing-this-information-has-been-determined-to-be-very-low-or-non-existant"
> and
> "in-accordance-with-risk-management-best-practices-this-risk-has-been-accepted".
>  Finally, we could have zone-transfer.owasp.org pointing to a page
> that explains our risk management philosophy. This page could be
> titled "Why do we leave our DNS zone transfer on?"
> Regards, Victor Chapela

Hehe, I like that approach.

If anyone is actually looking at the results from doing the AXFR, they 
will avoid making a fool of themselves.

Otherwise . . .


More information about the OWASP-Leaders mailing list