[dns-operations] All NSs for a TLD being in the TLD itself

Einar Lönn einar.lonn at iis.se
Tue Oct 29 11:31:40 UTC 2013

On Oct 29, 2013, at 10:24 AM, Calvin Browne wrote:

> On 25/10/2013 19:34, dns-operations-request at lists.dns-oarc.net wrote:
> <SNIP>
>> From: Einar L?nn <einar.lonn at iis.se>
>> <snip>
>>> what do you think is fragile?  the in-baliwick glue?  why?
>>> the ip address clumping would worry me if i thought they were not
>>> anycast.
>>> randy
>> Someone did a comparison between all the ccTLD's a few years back (was it CENTR? or RIPE? I cant find it...) where they checked stuff like this. I think I remember 100% in-bailiwick glue was considered best as this gives most control to the TLD itself and has the least risk of hijacking due to inzone or out of zone dependancies.
>> I actually agree with this assessment, at least as long as (in the example above) the zone "nic.xn--ngb5azd" is *very* well guarded (locked utterly) and preferrably also never delegated. Which it might actually be, then it's suddenly much riskier as you must have full control of the delegated zone also (which I kind of consider an inzone dependancy)...
>> (Compare: In .SE the zone "NS.SE" that contains all names of all NS-records for .SE is in-bailiwick and *not* a delegated zone).
>> BigMac:~ einar.lonn$ dig se ns +short
>> a.ns.se.
>> b.ns.se.
>> c.ns.se.
>> d.ns.se.
>> e.ns.se.
>> f.ns.se.
>> g.ns.se.
>> i.ns.se.
>> j.ns.se.
>> B
> I'm going to point out that .se went down because of a problem right at 
> this point relativly recently. And .ng .... and I think there were more..
> --Calvin

No system is perfect until all human steps have been removed, so I'm curious how out-of-zone name servers can protect against *human* error? ;)

Although you do have a point, in the case of our incident where a rogue $ORIGIN destroyed our zone, out-of-zone name servers actually would have helped. But it's a very specific case this would protect against and now I doubt this will ever happen again (we have quite a bit more checks today than we had when this happened).

Furthermore this relatively tiny risk could be compared to the risk of a hijack of a name server residing out-of-zone which silently captures X percent of all your traffic. As you say you could consider this as having all your eggs in one basket; however I kind of like the idea of having 100% control, especially with DNSSEC-signed NS' and glue, and this is tricky to achieve in any other way.

Had to speak with some people internally before composing this, thus the delay. Saw more emails concerning this later in the thread; they are actually (somewhat) incorrect, out-of-zone NS' would have helped us. Still not worth it though imho, considering control and security mentioned above.

	/Regards, Einar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131029/31b2c1d3/attachment.bin>

More information about the dns-operations mailing list