disallow zone transfers by default (change default to `allow-transfer none;`)
Description
I think current best practice is to allow zone transfers only to authorized parties, but BIND defaults to allowing zone transfers to anyone without any authentication.
Request
I think that in 2024 allow-transfer
ACL should default to none
.
Current defaults (commit 07488474) obtained with:
named -C | grep allow
allow-new-zones no;
allow-notify {none;};
allow-proxy {none;};
allow-proxy-on {any;};
allow-query-cache { localnets; localhost; };
allow-query-cache-on { any; };
allow-recursion { localnets; localhost; };
allow-recursion-on { any; };
allow-update-forwarding {none;};
allow-query {any;};
allow-query-on {any;};
allow-transfer {any;};
allow-new-zones no;
From this it seems that allow-transfer {any;};
is (almost) an outlier here.
Personally I think allow-query {any;}
is fine because you kinda expect that DNS server will answer queries.
Links / references
- Knot DNS 3.3 requires explicit ACL to allow zone transfer but allows normal queries by default
- NSD 4.9.1 requires explicit ACL to allow zone transfer but allows normal queries by default