[dns-operations] Best practice for securing DNS record

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Feb 10 18:34:29 UTC 2022


On Thu, Feb 10, 2022 at 04:55:24PM +0000, Subramanian, Karthikeyan via dns-operations wrote:

> Records are not vulnerable or any Stale record.

As others mentioned, "vulnerability" is not really a property of a DNS
zone data, but "state" presumably means one of:

    * The name no longer exists, and ought to be removed from the zone
    * The address is not the right address for the name
    * A PTR record points to the wrong or a non-existent name
    * There is no longer any host at that IP address.
    ...

In corporate networks with DNS managed at arm's length by a separate
team, it is not uncommon for users to request addition of DNS records,
but neglect to request their deletion or to fail to keep them up to
date.

Avoiding low data quality is then a combination of:

    * Periodic audits to check that the zone data is accurate
      and still needed.

    * Self-service tooling that lowers to barriers for users to
      keep the data current and correct (adding and removing names they
      are authorised to control) and ideally incentives for them to
      keep care...

-- 
    Viktor.



More information about the dns-operations mailing list