cjc> On the other side of this, we all may be learning the value of not
cjc> having all of you NS records in a single zone with a domain under a
cjc> single registrar.
>From some trainings I did on how to be sure your DNS was robust:
- don't have all your business critical domains under the same
registrar (unless it's of the CSC/markmonitor class)
- don't have all your auth NS for your domain in bailiwick (within the
domain being served)
- don't have all your auth NS in the same routing domain (anycast can
be an exception to this if robust enough)
- don't have the account registrar credential emails all within the
domain, nor with personal emails like gmail. do have them all under
control of your IT
- protect all account credentials with strong passwords, MFA
- have MX for your domain either with a very large provider or across
multiple domain names
It's painfully easy to fall off the internet and be unreachable if
you're not thinking about all this for business critical domains. You
don't ever want to be hoping that some customer kept your NOC phone
number in their phone. ;)
