On Tuesday 17 Jan 2006 01:04, you wrote:
Not having all your DNS servers in the same domain, or registered through the same registrar, isn't a "best practice" that has previously occurred to me, but it makes a lot of sense now that I think about it.
I think the general consensus in the DNS field is that for security reasons it is preferable to have as small a set of DNS servers (or perhaps as small as set of differently configured servers! Hmm physical security....) in the hierarchy above you as possible, since compromise of any of these could affect the results obtained for your domain. See also DJBs "Trusted Servers" note. http://cr.yp.to/djbdns/notes.html Here there is a clear conflict between security through redundancy against accident, and resistant to compromise. Although it can be mitigated by choosing well managed parents zones. Incidently we have DNS servers in two domains, but that is historical, and both top level domains are managed by Verisign, and delivered via the same set of servers. Thus we are dependent on "root-servers.net", "gltd-servers.net" and our own servers, only in the resolution of our own domain names (and customer domains, where those domains are in .com/.net). Of course arguably the effective working of some services (email?) are now also dependent on reverse DNS working well, and the delegation of that is different again. That said I think the idea is sound against some issues (at which point one should probably also use different providers for the DNS registration services, since if their procedures are flawed....). However it does increase the risk of certain types of malicious activity, as in general it is sufficent to compromise one DNS server involved in serving a name to compromise the majority of the traffic (at least in theory, I haven't had a chance to prove this in anger yet). Since we are moving a couple of our nameservers from their current domain, I think I'll look at putting them under co.uk, as the UK seems to have tidied up its DNS management quite nicely in recent years. Also during recent event it has struck me that the hierarchy of servers involved in providing DNS services is quite small, and has quite different characteristics to the other records in the DNS. I'm beginning to wonder if having the scaffolding in the protocol itself is the right way, but that is a debate that has raged before, and is off topic here.