#axfr — Public Fediverse posts

@unlambda @whitequark

The root and a few of its direct and indirect subdomains have publicly available data.

% tcp-socket-connect lax.xfr.dns.icann.org 53 axfr-get uri.arpa uri uri.tmp

There is a list of these.

https://news.ycombinator.com/item?id=44318136

#DNS #AXFR #Estonia

@unlambda @whitequark

The root and a few of its direct and indirect subdomains have publicly available data.

% tcp-socket-connect lax.xfr.dns.icann.org 53 axfr-get uri.arpa uri uri.tmp

There is a list of these.

https://news.ycombinator.com/item?id=44318136

#DNS #AXFR #Estonia

@unlambda @whitequark

The root and a few of its direct and indirect subdomains have publicly available data.

% tcp-socket-connect lax.xfr.dns.icann.org 53 axfr-get uri.arpa uri uri.tmp

There is a list of these.

https://news.ycombinator.com/item?id=44318136

#DNS #AXFR #Estonia

@unlambda @whitequark

The root and a few of its direct and indirect subdomains have publicly available data.

% tcp-socket-connect lax.xfr.dns.icann.org 53 axfr-get uri.arpa uri uri.tmp

There is a list of these.

https://news.ycombinator.com/item?id=44318136

#DNS #AXFR #Estonia

@unlambda @whitequark

The root and a few of its direct and indirect subdomains have publicly available data.

% tcp-socket-connect lax.xfr.dns.icann.org 53 axfr-get uri.arpa uri uri.tmp

There is a list of these.

https://news.ycombinator.com/item?id=44318136

#DNS #AXFR #Estonia

When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375

When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375

When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375

When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375

When building a library, it's not just about providing features but getting the ergonomics right so that developers can take maximum advantage of the functionality provided. After several approaches, we're finally happy with #DNS Zone Transfers for our #OpenSource `domain` crate for #rustlang. #CodingInTheOpen #IXFR #AXFR #TSIG
https://github.com/NLnetLabs/domain/pull/375

I’ve received on my postmaster@ address a message from some security researchers warning me of the “insecure” #DNSSEC configuration of my domain, so for the record:

My domain (incenp.org) is configured to use #NSEC, and not #NSEC3, on purpose. This is not a misconfiguration. I weighed the pros and cons of NSEC3, and decided it was just not worth it.

Yes, people could use NSEC records to enumerate all the DNS records of my zone. So what?

Usually I am not a fan (and that’s an euphemism) of the “if you have nothing to hide, you have nothing to fear” argument, but in this case, there is really nothing to hide in my DNS zone. I would happily give a list of all the records (or even the original master zone file) to anyone who asks for it.

Actually last time I checked, one of the slave DNS servers I use was even configured to allow #AXFR requests from anywhere, and I never bothered to contact the admin of that server to ask him to do anything about it. So if you want the entirety of my zone’s records, don’t waste your time mounting a NSEC enumeration attack, just ask the right server.

I’ve received on my postmaster@ address a message from some security researchers warning me of the “insecure” #DNSSEC configuration of my domain, so for the record:

My domain (incenp.org) is configured to use #NSEC, and not #NSEC3, on purpose. This is not a misconfiguration. I weighed the pros and cons of NSEC3, and decided it was just not worth it.

Yes, people could use NSEC records to enumerate all the DNS records of my zone. So what?

Usually I am not a fan (and that’s an euphemism) of the “if you have nothing to hide, you have nothing to fear” argument, but in this case, there is really nothing to hide in my DNS zone. I would happily give a list of all the records (or even the original master zone file) to anyone who asks for it.

Actually last time I checked, one of the slave DNS servers I use was even configured to allow #AXFR requests from anywhere, and I never bothered to contact the admin of that server to ask him to do anything about it. So if you want the entirety of my zone’s records, don’t waste your time mounting a NSEC enumeration attack, just ask the right server.

I’ve received on my postmaster@ address a message from some security researchers warning me of the “insecure” #DNSSEC configuration of my domain, so for the record:

My domain (incenp.org) is configured to use #NSEC, and not #NSEC3, on purpose. This is not a misconfiguration. I weighed the pros and cons of NSEC3, and decided it was just not worth it.

Yes, people could use NSEC records to enumerate all the DNS records of my zone. So what?

Usually I am not a fan (and that’s an euphemism) of the “if you have nothing to hide, you have nothing to fear” argument, but in this case, there is really nothing to hide in my DNS zone. I would happily give a list of all the records (or even the original master zone file) to anyone who asks for it.

Actually last time I checked, one of the slave DNS servers I use was even configured to allow #AXFR requests from anywhere, and I never bothered to contact the admin of that server to ask him to do anything about it. So if you want the entirety of my zone’s records, don’t waste your time mounting a NSEC enumeration attack, just ask the right server.

We all hate #DNS, as it is the root of all evil. But, I have a #PowerDNS server here at Home that is managing all my domains. Now I want you all to be able to use the amazing domains I own like ben-on-vms.com. Should I replicate the #PowerDNS backend using #MySQL or #AXFR. The primary server is here at my home and the secondaries will be connected over a #wireguard #vpn. #vExpert #vCommunity #Homelab

We all hate #DNS, as it is the root of all evil. But, I have a #PowerDNS server here at Home that is managing all my domains. Now I want you all to be able to use the amazing domains I own like ben-on-vms.com. Should I replicate the #PowerDNS backend using #MySQL or #AXFR. The primary server is here at my home and the secondaries will be connected over a #wireguard #vpn. #vExpert #vCommunity #Homelab

@tolstoevsky Не обязательно #BIND9 aka #BIND, его много критикуют. Есть ещё #KnotDNS, #YADIFA и другие; а если не нужен #AXFR (все вторичные сервера свои, синхронизируются #rsync'ом), то #gdnsd (#NSD, по-моему, только для больших нагрузок, а на малых не уменьшает потребление памяти). Есть ещё маленький и экономичный #MaraDNS, но там надо изучать другой синтаксис файла зоны.

#DNS #NS

@tolstoevsky Не обязательно #BIND9 aka #BIND, его много критикуют. Есть ещё #KnotDNS, #YADIFA и другие; а если не нужен #AXFR (все вторичные сервера свои, синхронизируются #rsync'ом), то #gdnsd (#NSD, по-моему, только для больших нагрузок, а на малых не уменьшает потребление памяти). Есть ещё маленький и экономичный #MaraDNS, но там надо изучать другой синтаксис файла зоны.

#DNS #NS

@tolstoevsky Не обязательно #BIND9 aka #BIND, его много критикуют. Есть ещё #KnotDNS, #YADIFA и другие; а если не нужен #AXFR (все вторичные сервера свои, синхронизируются #rsync'ом), то #gdnsd (#NSD, по-моему, только для больших нагрузок, а на малых не уменьшает потребление памяти). Есть ещё маленький и экономичный #MaraDNS, но там надо изучать другой синтаксис файла зоны.

#DNS #NS

In case you ever need to test an #AXFR implementation or just want to play around with zone transfers:

I created a thing for such use cases: https://icanhazaxfr.com

In case you ever need to test an #AXFR implementation or just want to play around with zone transfers:

I created a thing for such use cases: https://icanhazaxfr.com