On 5/4/15, 3:11, "Stephane Bortzmeyer" <bortzme...@nic.fr> wrote:
>A new edition of the DNS security guide by ANSSI (French cybersecurity >agency) recommends to prefer delegations with glue because glueless >delegations "may carry additional risks since they create a >dependency". Is there any other "best practices" text which makes such >a recommendation? I can't read French, so no comment on the report. I had to diagnose what appeared to be a security incident resulting from the victim failing to remove glue at the parent when they changed registration. Years later, a presumably-unhappy newly-ex employee made use of that glue in a new delegation to cause harm. If the new delegation had to be in bailiwick, then the stale glue couldn't hurt the victim in this manner. The trade-off - you (as a registrant) can either spread your eggs across baskets (mixing glue's TLDs) and then managing all of the vendors involved -OR- focus your eggs in one basket and then make it bullet proof by being vigilant. My observations indicate that the less attentive a registrant is (as far as being a customer of registration services) the better served they are to reduce the vendors involved - i.e., staying in bailiwick. They risk a single point of failure (e.g., the TLD) as a result, but to that point, glue isn't the worry, the registration is.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
