[dns-operations] Best practice for securing DNS record

[Tony Finch]

Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> In corporate networks with DNS managed at arm's length by a separate
> team, it is not uncommon for users to request addition of DNS records,
> but neglect to request their deletion or to fail to keep them up to
> date.

Right. Ideally your service provisioning stuff would be hooked up to the
DNS so that when a service is decommissioned the DNS is automatically
cleaned up as well.

For off-site services, the key phrase for your threat model is "subdomain
takeover attacks".

There's some basic automation that can help spot problems: looking for
dangling CNAMEs; checking whether the target of an A record still
responds; checking whether a web server is still hosting the site you
expect.

It's also important to know what the subdomain authorization policies are
for each of your off-site providers. Are the authorization records
temporary (if so, clean them away promptly) or do they need to remain in
place? How well does each provider protect you against subdomain
takeovers? (i.e. how closely do you need to monitor them yourself?)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  https://dotat.at/
Great Orme Head to the Mull of Galloway: Southerly or southwesterly 3
to 5, increasing 6 to gale 8, occasionally severe gale 9 later in
north and west. Smooth or slight becoming moderate or rough,
occasionally very rough later in west. Showers, then occasional rain.
Good, occasionally poor later.