[dns-operations] DNS trust dependencies for TLDs

Antoin Verschuren Antoin.Verschuren at sidn.nl
Fri Jun 12 12:43:21 UTC 2009

And this is exactly nu point.
The trust relationships may be there for al reason.
I would like to argue that al small dependancy graph is the bad thing,  
not a large one.

We have outsourced nameservers because we deliberately want a large  
dependancy. Be it for governance reasons or something I call  
operational redundancy. Every operator , yes, also the TLD, can make a  
mistake, or have a social engineering vunarability, and spreading out  
over multiple operators reduces that risk.

So I think the error you make is that it is a chain of TRUSTED  
relationships, not untrusted thirth parties. They are chosen  


Sent from my iPhone

On 11 jun 2009, at 19:21, "Matthew Dempsky" <matthew at dempsky.org> wrote:

> On Thu, Jun 11, 2009 at 12:46 AM, <sthaug at nethelp.no> wrote:
>> It should also be pointed out that some ccTLDs have considered this,
>> among several other problems. I am personally somewhat involved in  
>> the
>> .no ccTLD, and I know that other issues which have been considered  
>> are
>> - Geographical distribution of name servers
>> - AS-level distribution of name servers
>> - Operating system and name server software diversity
> Having a good distribution of name servers is a good thing, but a
> zone's security is only as strong as its weakest link.  If it has a
> large trust graph, then it's trusting that none of those servers have
> security vulnerabilities.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list