[dns-operations] DNS trust dependencies for TLDs
Antoin Verschuren
Antoin.Verschuren at sidn.nl
Fri Jun 12 12:43:21 UTC 2009
And this is exactly nu point.
The trust relationships may be there for al reason.
I would like to argue that al small dependancy graph is the bad thing,
not a large one.
We have outsourced nameservers because we deliberately want a large
dependancy. Be it for governance reasons or something I call
operational redundancy. Every operator , yes, also the TLD, can make a
mistake, or have a social engineering vunarability, and spreading out
over multiple operators reduces that risk.
So I think the error you make is that it is a chain of TRUSTED
relationships, not untrusted thirth parties. They are chosen
delibirately.
Antoin
Sent from my iPhone
On 11 jun 2009, at 19:21, "Matthew Dempsky" <matthew at dempsky.org> wrote:
> On Thu, Jun 11, 2009 at 12:46 AM, <sthaug at nethelp.no> wrote:
>> It should also be pointed out that some ccTLDs have considered this,
>> among several other problems. I am personally somewhat involved in
>> the
>> .no ccTLD, and I know that other issues which have been considered
>> are
>>
>> - Geographical distribution of name servers
>> - AS-level distribution of name servers
>> - Operating system and name server software diversity
>
> Having a good distribution of name servers is a good thing, but a
> zone's security is only as strong as its weakest link. If it has a
> large trust graph, then it's trusting that none of those servers have
> security vulnerabilities.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
More information about the dns-operations
mailing list