[dns-operations] All NSs for a TLD being in the TLD itself
einar.lonn at iis.se
Tue Oct 29 12:33:20 UTC 2013
On Oct 29, 2013, at 12:51 PM, Daniel Kalchev wrote:
>> Furthermore this relatively tiny risk could be compared to the risk of a hijack of a name server residing out-of-zone which silently captures X percent of all your traffic. As you say you could consider this as having all your eggs in one basket; however I kind of like the idea of having 100% control, especially with DNSSEC-signed NS' and glue, and this is tricky to achieve in any other way.
> DNSSEC is here to help you. No matter what happens with any of your
> secondaries, as long as they do not have the secret part of your
> DNSKEY(s), this does not matter. This kills the incentive to
> hijack/attack DNSSEC signed zones secondaries, because it is not an
> attack vector that works. Those X percent of responses, will simply be
> ignored by all validating resolvers.
Oh really? How will I sign the glue of out-of-zone nameservers? In theory they could be in a signed-zone themselves, and thus signed etcetera, but it's still not even close to having them in a non-delegated zone controlled in one single place if you want full control (all these steps add complexity and security implications regardless of how you perform them to be honest, however; you do win stability).
Currently every single A & AAAA is signed for .SE, and signed with our own key inside our own zone. There are no dependancies outside of root.
> DNSSEC will of course not protect you from human errors, like the one
> discussed here.
No, since it was a human error we did sign the zone we broke. ;p
>> Had to speak with some people internally before composing this, thus the delay. Saw more emails concerning this later in the thread; they are actually (somewhat) incorrect, out-of-zone NS' would have helped us. Still not worth it though imho, considering control and security mentioned above.
> I believe you need to open that discussion again, in consideration of
> the DNSSEC properties mentioned above.
Honestly I think it's a matter of policy; how much is security and control worth if you pitch it against stability?
Our current delegation of .SE I think is pretty much focused on security and control, it's only natural that we lose some stability due to this but basically… it's a cost we're willing to take (and you could perhaps argue that we've paid the price for it with this incident).
...I wish I could find that survey, it was quite good and talked about exactly this for a lot of different TLDs. ;p No one remembers it? Annoying that I cant refer/point to it... ;(
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4057 bytes
Desc: not available
More information about the dns-operations