ebersman> - don't have all your business critical domains under the same ebersman> registrar (unless it's of the CSC/markmonitor class)
jeroen> There is always going to be single point of failures in a jeroen> hierarchical tree like that. Everything in internet/infrastructure is risk tradeoffs and cost/benefit analysis. If we could be perfect as engineers, we would be. ;) Personally, the fact that the internet mostly functions most mornings when I get up is still something that amazes me after years of using it... ebersman> - don't have all your auth NS for your domain in bailiwick ebersman> (within the domain being served) jeroen> If, as it is the example in the thread, he.net <http://he.net/> jeroen> is your primary domain, which is their case, then if somebody in jeroen> the tree disables the delegation of he.net <http://he.net/>, jeroen> nothing is going to fix resolution to you. Having your DNS jeroen> servers in another TLD will not make he.net <http://he.net/> jeroen> appear in the global DNS again... The above two points of mine tie together. If you can afford a registrar who will be far more likely to care about you than random/bad enforcement of external complaints and you're big/rich enough to be able to use highly robust anycasted auth NS, in bailiwick is a much lower risk. If my "joe's fish shop and internet cafe" DNS is provided by "my mom let me be a registrar if I ate my vegetables" diversity of TLD, registrar, and auth NS (including out of bailiwick NS) becomes a much more attractive and cheaper way to be more robust. jeroen> Thus one only increases the risk by having multiple jeroen> TLDs. Choosing a trusted registrar (one you have good contact jeroen> with; indeed MM qualifies) and a TLD that will not cause you jeroen> issues, is thus more important. Again, this depends on scale. For SMB, multiple TLDs is more likely to be a feature, for a really large business not so much. As Bill points out, this is actually one of the few cases where brand TLD is a major potential security upgrade.
