Peter Mott writes:
2. A policy
on Zone Transfers.
Whats driving this policy?
At least partly a desire to move the operation of the .nz name service
toward the standards set out by RFC 2010 (Operational Criteria for Root
Name Servers), which says, among other things:
2.10. Zone transfer access control. The name server shall be
configured so that outbound zone transfers are permitted only to
destinations on the server's local networks, and to whichever
networks the zone master designates for remote debugging purposes.
Rationale: Zone transfers can present a significant load on a name
server, especially if several transfers are started
simultaneously against the same server. There is no
operational reason to allow anyone outside the name
server's and zone's administrators to transfer the
There's also the ugly question of privacy; while individual queries pose
no privacy or commercial sensitivity issues (after all, the NS records
wouldn't be there if they weren't intended to be used), a complete zone
download gives you a lot more information than is required to resolve
names to IP addresses. For example, one can get a fairly exhaustive list
of DNS names and group them by service provider
The policies in development for official .nz nameservers do take into
account (a) the fact that the .nz servers aren't hit *quite* as hard as
the root servers, and (b) that a hard and fast policy of no zone
transfers is not required as long as the exceptions are reasonable and
I think it's reasonable for Internet users to expect that data provided
for the sole purpose of permitting other users to access their web pages
or send them email is used for that purpose, and not for making them
targets of unsolicited marketing material or cold-calling salespeople.
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz
where the body of your message reads: