On Oct 29, 2013, at 10:24 AM, Calvin Browne wrote: > On 25/10/2013 19:34, dns-operations-requ...@lists.dns-oarc.net wrote: > <SNIP> >> From: Einar L?nn <einar.l...@iis.se> >> <snip> >>> what do you think is fragile? the in-baliwick glue? why? >>> >>> the ip address clumping would worry me if i thought they were not >>> anycast. >>> >>> randy >> Someone did a comparison between all the ccTLD's a few years back (was it >> CENTR? or RIPE? I cant find it...) where they checked stuff like this. I >> think I remember 100% in-bailiwick glue was considered best as this gives >> most control to the TLD itself and has the least risk of hijacking due to >> inzone or out of zone dependancies. >> >> I actually agree with this assessment, at least as long as (in the example >> above) the zone "nic.xn--ngb5azd" is *very* well guarded (locked utterly) >> and preferrably also never delegated. Which it might actually be, then it's >> suddenly much riskier as you must have full control of the delegated zone >> also (which I kind of consider an inzone dependancy)... >> >> (Compare: In .SE the zone "NS.SE" that contains all names of all NS-records >> for .SE is in-bailiwick and *not* a delegated zone). >> >> BigMac:~ einar.lonn$ dig se ns +short >> a.ns.se. >> b.ns.se. >> c.ns.se. >> d.ns.se. >> e.ns.se. >> f.ns.se. >> g.ns.se. >> i.ns.se. >> j.ns.se. >> >> B > > I'm going to point out that .se went down because of a problem right at > this point relativly recently. And .ng .... and I think there were more.. > > --Calvin
No system is perfect until all human steps have been removed, so I'm curious
how out-of-zone name servers can protect against *human* error? ;)
Although you do have a point, in the case of our incident where a rogue $ORIGIN
destroyed our zone, out-of-zone name servers actually would have helped. But
it's a very specific case this would protect against and now I doubt this will
ever happen again (we have quite a bit more checks today than we had when this
happened).
Furthermore this relatively tiny risk could be compared to the risk of a hijack
of a name server residing out-of-zone which silently captures X percent of all
your traffic. As you say you could consider this as having all your eggs in one
basket; however I kind of like the idea of having 100% control, especially with
DNSSEC-signed NS' and glue, and this is tricky to achieve in any other way.
Had to speak with some people internally before composing this, thus the delay.
Saw more emails concerning this later in the thread; they are actually
(somewhat) incorrect, out-of-zone NS' would have helped us. Still not worth it
though imho, considering control and security mentioned above.
/Regards, Einar
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
