DNS Server domains was Re: GoDaddy.com shuts down entire data center?
Simon Waters
simonw at zynet.net
Tue Jan 17 09:13:46 UTC 2006
On Tuesday 17 Jan 2006 01:04, you wrote:
>
> Not having all your DNS servers in the same domain, or registered through
> the same registrar, isn't a "best practice" that has previously occurred
> to me, but it makes a lot of sense now that I think about it.
I think the general consensus in the DNS field is that for security reasons it
is preferable to have as small a set of DNS servers (or perhaps as small as
set of differently configured servers! Hmm physical security....) in the
hierarchy above you as possible, since compromise of any of these could
affect the results obtained for your domain.
See also DJBs "Trusted Servers" note.
http://cr.yp.to/djbdns/notes.html
Here there is a clear conflict between security through redundancy against
accident, and resistant to compromise. Although it can be mitigated by
choosing well managed parents zones.
Incidently we have DNS servers in two domains, but that is historical, and
both top level domains are managed by Verisign, and delivered via the same
set of servers. Thus we are dependent on "root-servers.net",
"gltd-servers.net" and our own servers, only in the resolution of our own
domain names (and customer domains, where those domains are in .com/.net).
Of course arguably the effective working of some services (email?) are now
also dependent on reverse DNS working well, and the delegation of that is
different again.
That said I think the idea is sound against some issues (at which point one
should probably also use different providers for the DNS registration
services, since if their procedures are flawed....). However it does increase
the risk of certain types of malicious activity, as in general it is
sufficent to compromise one DNS server involved in serving a name to
compromise the majority of the traffic (at least in theory, I haven't had a
chance to prove this in anger yet).
Since we are moving a couple of our nameservers from their current domain, I
think I'll look at putting them under co.uk, as the UK seems to have tidied
up its DNS management quite nicely in recent years.
Also during recent event it has struck me that the hierarchy of servers
involved in providing DNS services is quite small, and has quite different
characteristics to the other records in the DNS. I'm beginning to wonder if
having the scaffolding in the protocol itself is the right way, but that is a
debate that has raged before, and is off topic here.
More information about the NANOG
mailing list