[Owasp-leaders] Zone transfer

Jeff Williams jeff.williams at owasp.org
Thu Jun 10 18:25:28 EDT 2010


I sent a message to Larry - anyone willing to put together a wiki page on
the subject so it's ready?  We should be able to pull from the (extensive
shall we say) discussion on the list.

--Jeff

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Rogan Dawes
Sent: Wednesday, June 09, 2010 8:29 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Zone transfer

On 2010/06/09 2:26 PM, Victor Chapela wrote:
> I agree completely with promoting proper risk management.
>
> I suggest we add three or four A records to the DNS, that when
> transfered, state this point. These records could be:
> "zone-transfers-intentionally-left-on",
> "our-DNS-information-has-been-classified-as-public",
>
"the-risk-of-sharing-this-information-has-been-determined-to-be-very-low-or-
non-existant"
> and
>
"in-accordance-with-risk-management-best-practices-this-risk-has-been-accept
ed".
>
>  Finally, we could have zone-transfer.owasp.org pointing to a page
> that explains our risk management philosophy. This page could be
> titled "Why do we leave our DNS zone transfer on?"
>
> Regards, Victor Chapela

Hehe, I like that approach.

If anyone is actually looking at the results from doing the AXFR, they 
will avoid making a fool of themselves.

Otherwise . . .

Rogan
_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list