[dns-operations] All NSs for a TLD being in the TLD itself

Daniel Kalchev daniel at digsys.bg
Tue Oct 29 11:51:12 UTC 2013 

On 29.10.13 13:31, Einar Lönn wrote:
> On Oct 29, 2013, at 10:24 AM, Calvin Browne wrote:
>
>>
>> I'm going to point out that .se went down because of a problem right at
>> this point relativly recently. And .ng .... and I think there were more..
>>
>> --Calvin
> No system is perfect until all human steps have been removed, so I'm curious how out-of-zone name servers can protect against *human* error? ;)

Absolutely. No system is perfect and no guarantees can be made, either way.

>
> Although you do have a point, in the case of our incident where a rogue $ORIGIN destroyed our zone, out-of-zone name servers actually would have helped. But it's a very specific case this would protect against and now I doubt this will ever happen again (we have quite a bit more checks today than we had when this happened).

Additional checks cannot prevent this from happening. They will just 
make it happen in a different scenario. One just has to have this in mind.

> Furthermore this relatively tiny risk could be compared to the risk of a hijack of a name server residing out-of-zone which silently captures X percent of all your traffic. As you say you could consider this as having all your eggs in one basket; however I kind of like the idea of having 100% control, especially with DNSSEC-signed NS' and glue, and this is tricky to achieve in any other way.

DNSSEC is here to help you. No matter what happens with any of your 
secondaries, as long as they do not have the secret part of your 
DNSKEY(s), this does not matter. This kills the incentive to 
hijack/attack DNSSEC signed zones secondaries, because it is not an 
attack vector that works. Those X percent of responses, will simply be 
ignored by all validating resolvers.

DNSSEC will of course not protect you from human errors, like the one 
discussed here.

> Had to speak with some people internally before composing this, thus the delay. Saw more emails concerning this later in the thread; they are actually (somewhat) incorrect, out-of-zone NS' would have helped us. Still not worth it though imho, considering control and security mentioned above.

I believe you need to open that discussion again, in consideration of 
the DNSSEC properties mentioned above.

Daniel

More information about the dns-operations mailing list