[dns-operations] Fwd: Re: [Security] Glue or not glue?
Mark E. Jeftovic
markjr at easydns.com
Tue Jun 9 15:32:47 UTC 2015
I'd like to revisit this thread because I never got a response last time.
-------- Original Message --------
Subject: Re: [dns-operations] [Security] Glue or not glue?
Date: Thu, 07 May 2015 09:54:13 -0400
From: Mark E. Jeftovic <markjr at easydns.com>
Organization: easyDNS Technologies Inc.
To: Paul Vixie <paul at redbarn.org>
CC: Stephane Bortzmeyer <bortzmeyer at nic.fr>, dns-operations at dns-oarc.net
Stephane Bortzmeyer wrote:
>> A new edition of the DNS security guide by ANSSI (French cybersecurity
>> agency) recommends to prefer delegations with glue because glueless
>> delegations "may carry additional risks since they create a
>> dependency". ...
>
I tend to go with Patrik:
> Without reading the report, and speaking personally, I prefer a mix of delegations with glue and without to not have dependency of one path in the domain name space to work for resolution to work. Only glue create for me a single point of failure...
as I think having multi-domain multi-tld redundancy among ns delegations
is wise.
Paul when you say:
> if we're voting, i agree with this recommendation. (we should have named the root name servers X.ROOT-SERVERS without a delegation for .ROOT-SERVERS, so as to keep them in-zone, and we're still paying for that mistake.)
>
I can see your point on something like root-servers.net or .root-servers
(tangentially also acknowledge whatever gets decided in these types of
situations, you are stuck with those decisions for a long time, in some
cases forever).
But are you saying this would be your preferred method for wider use?
I.e. when Joe 6-pack regs joesixpack.six and he's going to just host a
website and email he should have in bailiwick nameservers (even if those
nameservers are being operated by his registrar/web host/dns provider?)
In other words, are you saying every domain registered should have
"vanity" nameservers?
- mark
--
Mark E. Jeftovic <markjr at easydns.com>
Founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 ext 225
Read my blog: http://markable.com
--
Mark E. Jeftovic <markjr at easydns.com>
Founder & CEO, easyDNS Technologies Inc.
+1-(416)-535-8672 ext 225
Read my blog: http://markable.com
More information about the dns-operations
mailing list