On 29.10.13 13:31, Einar Lönn wrote:
On Oct 29, 2013, at 10:24 AM, Calvin Browne wrote:
I'm going to point out that .se went down because of a problem right at
this point relativly recently. And .ng .... and I think there were more..
--Calvin
No system is perfect until all human steps have been removed, so I'm curious
how out-of-zone name servers can protect against *human* error? ;)
Absolutely. No system is perfect and no guarantees can be made, either way.
Although you do have a point, in the case of our incident where a rogue $ORIGIN
destroyed our zone, out-of-zone name servers actually would have helped. But
it's a very specific case this would protect against and now I doubt this will
ever happen again (we have quite a bit more checks today than we had when this
happened).
Additional checks cannot prevent this from happening. They will just
make it happen in a different scenario. One just has to have this in mind.
Furthermore this relatively tiny risk could be compared to the risk of a hijack
of a name server residing out-of-zone which silently captures X percent of all
your traffic. As you say you could consider this as having all your eggs in one
basket; however I kind of like the idea of having 100% control, especially with
DNSSEC-signed NS' and glue, and this is tricky to achieve in any other way.
DNSSEC is here to help you. No matter what happens with any of your
secondaries, as long as they do not have the secret part of your
DNSKEY(s), this does not matter. This kills the incentive to
hijack/attack DNSSEC signed zones secondaries, because it is not an
attack vector that works. Those X percent of responses, will simply be
ignored by all validating resolvers.
DNSSEC will of course not protect you from human errors, like the one
discussed here.
Had to speak with some people internally before composing this, thus the delay.
Saw more emails concerning this later in the thread; they are actually
(somewhat) incorrect, out-of-zone NS' would have helped us. Still not worth it
though imho, considering control and security mentioned above.
I believe you need to open that discussion again, in consideration of
the DNSSEC properties mentioned above.
Daniel
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
dns-jobs mailing list
https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
