[dns-operations] All NSs for a TLD being in the TLD itself

Einar Lönn einar.lonn at iis.se
Tue Oct 29 12:33:20 UTC 2013


On Oct 29, 2013, at 12:51 PM, Daniel Kalchev wrote:
<snip>
>> Furthermore this relatively tiny risk could be compared to the risk of a hijack of a name server residing out-of-zone which silently captures X percent of all your traffic. As you say you could consider this as having all your eggs in one basket; however I kind of like the idea of having 100% control, especially with DNSSEC-signed NS' and glue, and this is tricky to achieve in any other way.
> 
> DNSSEC is here to help you. No matter what happens with any of your 
> secondaries, as long as they do not have the secret part of your 
> DNSKEY(s), this does not matter. This kills the incentive to 
> hijack/attack DNSSEC signed zones secondaries, because it is not an 
> attack vector that works. Those X percent of responses, will simply be 
> ignored by all validating resolvers.

Oh really? How will I sign the glue of out-of-zone nameservers? In theory they could be in a signed-zone themselves, and thus signed etcetera, but it's still not even close to having them in a non-delegated zone controlled in one single place if you want full control (all these steps add complexity and security implications regardless of how you perform them to be honest, however; you do win stability).

Currently every single A & AAAA is signed for .SE, and signed with our own key inside our own zone. There are no dependancies outside of root.

> DNSSEC will of course not protect you from human errors, like the one 
> discussed here.

No, since it was a human error we did sign the zone we broke. ;p

>> Had to speak with some people internally before composing this, thus the delay. Saw more emails concerning this later in the thread; they are actually (somewhat) incorrect, out-of-zone NS' would have helped us. Still not worth it though imho, considering control and security mentioned above.
> 
> I believe you need to open that discussion again, in consideration of 
> the DNSSEC properties mentioned above.
> 
> Daniel

Honestly I think it's a matter of policy; how much is security and control worth if you pitch it against stability? 

Our current delegation of .SE I think is pretty much focused on security and control, it's only natural that we lose some stability due to this but basically… it's a cost we're willing to take (and you could perhaps argue that we've paid the price for it with this incident).

...I wish I could find that survey, it was quite good and talked about exactly this for a lot of different TLDs. ;p No one remembers it? Annoying that I cant refer/point to it... ;(


	/Regards, Einar

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4057 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20131029/412b4f94/attachment.bin>


More information about the dns-operations mailing list