[dns-operations] [Security] Glue or not glue?
Edward Lewis
edward.lewis at icann.org
Mon May 4 11:56:44 UTC 2015
On 5/4/15, 3:11, "Stephane Bortzmeyer" <bortzmeyer at nic.fr> wrote:
>A new edition of the DNS security guide by ANSSI (French cybersecurity
>agency) recommends to prefer delegations with glue because glueless
>delegations "may carry additional risks since they create a
>dependency". Is there any other "best practices" text which makes such
>a recommendation?
I can't read French, so no comment on the report.
I had to diagnose what appeared to be a security incident resulting from
the victim failing to remove glue at the parent when they changed
registration. Years later, a presumably-unhappy newly-ex employee made
use of that glue in a new delegation to cause harm. If the new delegation
had to be in bailiwick, then the stale glue couldn't hurt the victim in
this manner.
The trade-off - you (as a registrant) can either spread your eggs across
baskets (mixing glue's TLDs) and then managing all of the vendors involved
-OR- focus your eggs in one basket and then make it bullet proof by being
vigilant. My observations indicate that the less attentive a registrant
is (as far as being a customer of registration services) the better served
they are to reduce the vendors involved - i.e., staying in bailiwick.
They risk a single point of failure (e.g., the TLD) as a result, but to
that point, glue isn't the worry, the registration is.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20150504/865c9f04/attachment.bin>
More information about the dns-operations
mailing list