nanog mailing list archives
DNS Server domains was Re: GoDaddy.com shuts down entire data center?
From: Simon Waters <simonw () zynet net>
Date: Tue, 17 Jan 2006 09:13:46 +0000
On Tuesday 17 Jan 2006 01:04, you wrote:
Not having all your DNS servers in the same domain, or registered through the same registrar, isn't a "best practice" that has previously occurred to me, but it makes a lot of sense now that I think about it.
I think the general consensus in the DNS field is that for security reasons it is preferable to have as small a set of DNS servers (or perhaps as small as set of differently configured servers! Hmm physical security....) in the hierarchy above you as possible, since compromise of any of these could affect the results obtained for your domain. See also DJBs "Trusted Servers" note. http://cr.yp.to/djbdns/notes.html Here there is a clear conflict between security through redundancy against accident, and resistant to compromise. Although it can be mitigated by choosing well managed parents zones. Incidently we have DNS servers in two domains, but that is historical, and both top level domains are managed by Verisign, and delivered via the same set of servers. Thus we are dependent on "root-servers.net", "gltd-servers.net" and our own servers, only in the resolution of our own domain names (and customer domains, where those domains are in .com/.net). Of course arguably the effective working of some services (email?) are now also dependent on reverse DNS working well, and the delegation of that is different again. That said I think the idea is sound against some issues (at which point one should probably also use different providers for the DNS registration services, since if their procedures are flawed....). However it does increase the risk of certain types of malicious activity, as in general it is sufficent to compromise one DNS server involved in serving a name to compromise the majority of the traffic (at least in theory, I haven't had a chance to prove this in anger yet). Since we are moving a couple of our nameservers from their current domain, I think I'll look at putting them under co.uk, as the UK seems to have tidied up its DNS management quite nicely in recent years. Also during recent event it has struck me that the hierarchy of servers involved in providing DNS services is quite small, and has quite different characteristics to the other records in the DNS. I'm beginning to wonder if having the scaffolding in the protocol itself is the right way, but that is a debate that has raged before, and is off topic here.
Current thread:
- Re: GoDaddy.com shuts down entire data center?, (continued)
- Re: GoDaddy.com shuts down entire data center? Steve Sobol (Jan 28)
- Re: GoDaddy.com shuts down entire data center? Steve Sobol (Jan 17)
- Re: GoDaddy.com shuts down entire data center? Per Heldal (Jan 18)
- Re: GoDaddy.com shuts down entire data center? Matt Ghali (Jan 16)
- Re: GoDaddy.com shuts down entire data center? Joe Abley (Jan 15)
- Re: GoDaddy.com shuts down entire data center? Martin Hannigan (Jan 15)
- Re: GoDaddy.com shuts down entire data center? Suresh Ramasubramanian (Jan 15)
- Re: GoDaddy.com shuts down entire data center? chuck goolsbee (Jan 15)
- Message not available
- Re: GoDaddy.com shuts down entire data center? Alexander Harrowell (Jan 16)
- Re: GoDaddy.com shuts down entire data center? Martin Hannigan (Jan 15)
- Re: GoDaddy.com shuts down entire data center? Steve Gibbard (Jan 16)
- DNS Server domains was Re: GoDaddy.com shuts down entire data center? Simon Waters (Jan 17)
- Re: DNS Server domains was Re: GoDaddy.com shuts down entire data center? Steven M. Bellovin (Jan 17)
- DNS Server domains was Re: GoDaddy.com shuts down entire data center? Simon Waters (Jan 17)
- Re: GoDaddy.com shuts down entire data center? Martin Hannigan (Jan 15)
- Re: GoDaddy.com shuts down entire data center? Martin Hannigan (Jan 15)
- Re: GoDaddy.com shuts down entire data center? Simon Waters (Jan 16)
- Re: GoDaddy.com shuts down entire data center? Greg Boehnlein (Jan 16)
- Re: GoDaddy.com shuts down entire data center? Martin Hannigan (Jan 16)
- Re: GoDaddy.com shuts down entire data center? Brett Frankenberger (Jan 16)
- Re: GoDaddy.com shuts down entire data center? Peter Dambier (Jan 16)