[Owasp-leaders] Zone transfer

Christian Heinrich christian.heinrich at owasp.org
Fri Jun 11 07:35:46 EDT 2010


On Wed, Jun 9, 2010 at 10:26 PM, Victor Chapela <victor at sm4rt.com> wrote:
> I agree completely with promoting proper risk management.
> I suggest we add three or four A records to the DNS, that when transfered, state this point. These records could be: "zone-transfers-intentionally-left-on", "our-DNS-information-has-been-classified-as-public", "the-risk-of-sharing-this-information-has-been-determined-to-be-very-low-or-non-existant" and "in-accordance-with-risk-management-best-practices-this-risk-has-been-accepted".

You have not considered that people have short attention spans and
hence are may not be aware of this convention until after the fact
e.g. people will type "quit" twice and then "exit" and then the DNS
Administrator will pointed out *after* they have terminated nslookup
that the other two "quit" commands had returned the CNAME "type.exit".

> Finally, we could have zone-transfer.owasp.org pointing to a page that explains our risk management philosophy. This page could be titled "Why do we leave our DNS zone transfer on?"

Considering http://taosecurity.blogspot.com/2010/02/thor-vs-clown.html
I won't recommend that OWASP go against popular opinion :)

Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking

More information about the OWASP-Leaders mailing list