On 4 Jul 2024, at 23:22, Paul Ebersman <list-nanog2@dragon.net> wrote:
cjc> On the other side of this, we all may be learning the value of not cjc> having all of you NS records in a single zone with a domain under a cjc> single registrar.
From some trainings I did on how to be sure your DNS was robust:
- don't have all your business critical domains under the same registrar (unless it's of the CSC/markmonitor class)
Please note that: - Markmonitor is owned by Newfold Digital / Endurance International [1] - Network Solutions is owned by Web.com <http://web.com/> [2] - Web.com <http://web.com/> is... owned by Newfold Digital [3] But yes, if you pay MM, you likely get to keep your domain. Note that NetSol is also not the NetSol anymore from the 1990's that one got tshirts from when you got a domain. [1] https://en.wikipedia.org/wiki/Markmonitor [2] https://en.wikipedia.org/wiki/Network_Solutions [3] https://en.wikipedia.org/wiki/Endurance_International_Group And... we all still have ICANN as an ultimate power, and the TLD itself, next to the above registrar. There is always going to be single point of failures in a hierarchical tree like that.
- don't have all your auth NS for your domain in bailiwick (within the domain being served)
If, as it is the example in the thread, he.net <http://he.net/> is your primary domain, which is their case, then if somebody in the tree disables the delegation of he.net <http://he.net/>, nothing is going to fix resolution to you. Having your DNS servers in another TLD will not make he.net <http://he.net/> appear in the global DNS again... And if you look at multiple large sites, the google.com <http://google.com/> akamai.com of the world, their registrar is MM, DNS are in-bailiwick and in-AS. Indeed, for domains that are not 'infrastructure', where one uses out of bailiwick DNS servers, that can help, but also cause issues. But, if we have for instance: example.com <http://example.com/> NS ns1.example.net <http://ns1.example.net/> NS ns2.example.org <http://ns2.example.org/> NS ns3.example.com <http://ns3.example.com/> Then: - if .com decided to kick you out, you are out - if .net or .org decide to kick you out you lose 1/3rd of your queries and induce latency... (at which point one can still remove the glue, but that will be another hour before gone) Thus one only increases the risk by having multiple TLDs. Choosing a trusted registrar (one you have good contact with; indeed MM qualifies) and a TLD that will not cause you issues, is thus more important.
- don't have all your auth NS in the same routing domain (anycast can be an exception to this if robust enough)
Yep, that is a decent rule. But if you control your routing domain (AS, different prefixes), less external issues that can happen ;) Many of these rules btw are tested with https://www.zonemaster.net/ Though, one will see that many of the big sites do not have that; but they also use MM, and have 24/7 teams to fix things.
- don't have the account registrar credential emails all within the domain, nor with personal emails like gmail. do have them all under control of your IT
Accounts in different domains can be indeed a rather good one to think about, definitely for communication when the main domain is broken, at least the other domains are then on file for contacting. Hopefully those email addresses cannot be used for account recovery, as then one increases risk again.
- protect all account credentials with strong passwords, MFA - have MX for your domain either with a very large provider or across multiple domain names
It's painfully easy to fall off the internet and be unreachable if you're not thinking about all this for business critical domains. You don't ever want to be hoping that some customer kept your NOC phone number in their phone. ;)
Indeed; The weakest point is where the chain breaks... one can have a simple chain or a very distributed chain. Greets, Jeroen