On 28 Sep 2004, at 18:27, David Farrar wrote:
Umm if the reply won't be off-topic, why do you think restricting access to the entire .nz zone file is a bad thing,
Because being able to do a zone transfer is useful to debug things, and because a policy which prevents enumeration of the records in a zone will block deployment of a signed zone containing NSEC records. That's the end of the operational part of the reply, if you could call it that.
and did you put in a submission on the recent policy review?
Nope. I discovered long ago that the world is a much more pleasant place if I resist all temptation to involve myself in "policy" or "governance" issues, irony implied by punctuation intended. Besides, there are plenty of hard concrete walls here I can bang my head against, if I really feel the need; I don't need to go looking for others.
There has been numerous examples of scammers using zone data combined with whois lookups to do mass spams and scams. Doing our bit to make this harder to do seems a good thing IMO.
There have also been uncountable examples of scammers using all kinds of non-zone data combined with whois lookups to do those things. I have not seen any convincing argument that allowing the zone to be retrieved (by NSEC chain walking, AXFR, FTP, HTTP, or any other method) will make any difference to this. If they can get your address, they can get your address -- who cares how they get it?
I'm open for persuasion that the problems fixed by DNSSEC are a bigger threat than the scams made possible by zone access, but yet to see a convincing argument.
I have yet to see a convincing argument that the threat of increased scamming due to open access to the zone imposes any additional threat at all. It seems odd to take the position that known threats against the DNS that we can defend against (with DNSSEC) take a back seat to nebulous threats which have not been demonstrated to exist. Joe