[dns-operations] DNS trust dependencies for TLDs

Matthew Dempsky matthew at dempsky.org
Fri Jun 12 17:06:03 UTC 2009 

On Fri, Jun 12, 2009 at 5:43 AM, Antoin
Verschuren<Antoin.Verschuren at sidn.nl> wrote:
> I would like to argue that al small dependancy graph is the bad thing, not a
> large one.

To be clear, I think having a lot of name servers for a zone is
generally a good thing.  I only think having a lot of transitive
dependence on third-party name servers is a bad thing.

> We have outsourced nameservers because we deliberately want a large
> dependancy. Be it for governance reasons or something I call operational
> redundancy. Every operator , yes, also the TLD, can make a mistake, or have
> a social engineering vunarability, and spreading out over multiple operators
> reduces that risk.

No, having unnecessary dependencies *increases* that risk.  If any
name server in the .nl graph makes a mistake or is vulnerable to
social engineering, the entire .nl zone is at risk.  ("A chain is only
as strong as its weakest link.")

Here's a concrete suggestion to discuss: you could change the .nl NS
and glue records to:

nl.			172800	IN	NS	ns1.nic.nl.
nl.			172800	IN	NS	ns2.nic.nl.
nl.			172800	IN	NS	ns3.nic.nl.
nl.			172800	IN	NS	ns4.nic.nl.
nl.			172800	IN	NS	ns5.nic.nl.
nl.			172800	IN	NS	ns6.nic.nl.
nl.			172800	IN	NS	ns7.nic.nl.

ns1.nic.nl.		172800	IN	A	193.176.144.2
ns2.nic.nl.		172800	IN	A	213.154.241.28
ns2.nic.nl.		172800	IN	AAAA	2001:7b8:606::28
ns3.nic.nl.		172800	IN	A	194.171.17.2
ns3.nic.nl.		172800	IN	AAAA	2001:610:0:800d::2
ns4.nic.nl.		172800	IN	A	62.4.86.232
ns5.nic.nl.		172800	IN	A	194.146.106.42
ns6.nic.nl.		172800	IN	A	192.5.4.1
ns6.nic.nl.		172800	IN	AAAA	2001:500:2e::1
ns7.nic.nl.		172800	IN	A	192.93.0.4
ns7.nic.nl.		172800	IN	AAAA	2001:660:3005:1::1:2

I.e., you're changing the three non-nic.nl NS records from
nl1.dnsnode.net, sns-pb.isc.org, ns-nl.nic.fr to ns5.nic.nl,
ns6.nic.nl, and ns7.nic.nl, respectively.  You'll also have to
maintain glue records for these names, but this can be automated
out-of-band (e.g., simple method: query the authoritative servers for
these names a few times a day, and whenever they change, update the
ns{5,6,7}.nic.nl records).  You would then also need to similarly
change nic.nl's NS records.

This arrangement gives you the same amount of fault tolerance for the
.nl zone that you already have, but it eliminates unnecessary
dependencies on servers like moe.rice.edu, ns.via.net, and
ns.oleane.net.

> So I think the error you make is that it is a chain of TRUSTED
> relationships, not untrusted thirth parties. They are chosen delibirately.

You deliberately chose to give private companies like via.net and
oleane.net authority over the entire .nl zone, and you trust them not
to be vulnerable to security holes or social engineering?  If so, then
don't worry about my graphs, but I'd honestly be a little surprised if
this was the case. :)

More information about the dns-operations mailing list