> On 4 Jul 2024, at 23:22, Paul Ebersman <list-nan...@dragon.net> wrote:
>
> cjc> On the other side of this, we all may be learning the value of not
> cjc> having all of you NS records in a single zone with a domain under a
> cjc> single registrar.
>
> From some trainings I did on how to be sure your DNS was robust:
>
> - don't have all your business critical domains under the same
> registrar (unless it's of the CSC/markmonitor class)
Please note that:
- Markmonitor is owned by Newfold Digital / Endurance International [1]
- Network Solutions is owned by Web.com <http://web.com/> [2]
- Web.com <http://web.com/> is... owned by Newfold Digital [3]
But yes, if you pay MM, you likely get to keep your domain.
Note that NetSol is also not the NetSol anymore from the 1990's that one got
tshirts from when you got a domain.
[1] https://en.wikipedia.org/wiki/Markmonitor
[2] https://en.wikipedia.org/wiki/Network_Solutions
[3] https://en.wikipedia.org/wiki/Endurance_International_Group
And... we all still have ICANN as an ultimate power, and the TLD itself, next
to the above registrar.
There is always going to be single point of failures in a hierarchical tree
like that.
> - don't have all your auth NS for your domain in bailiwick (within the
> domain being served)
If, as it is the example in the thread, he.net <http://he.net/> is your primary
domain, which is their case, then if somebody in the tree disables the
delegation of he.net <http://he.net/>, nothing is going to fix resolution to
you. Having your DNS servers in another TLD will not make he.net
<http://he.net/> appear in the global DNS again...
And if you look at multiple large sites, the google.com <http://google.com/>
akamai.com of the world, their registrar is MM, DNS are in-bailiwick and in-AS.
Indeed, for domains that are not 'infrastructure', where one uses out of
bailiwick DNS servers, that can help, but also cause issues.
But, if we have for instance:
example.com <http://example.com/> NS ns1.example.net <http://ns1.example.net/>
NS ns2.example.org <http://ns2.example.org/>
NS ns3.example.com <http://ns3.example.com/>
Then:
- if .com decided to kick you out, you are out
- if .net or .org decide to kick you out you lose 1/3rd of your queries and
induce latency...
(at which point one can still remove the glue, but that will be another hour
before gone)
Thus one only increases the risk by having multiple TLDs. Choosing a trusted
registrar (one you have good contact with; indeed MM qualifies) and a TLD that
will not cause you issues, is thus more important.
> - don't have all your auth NS in the same routing domain (anycast can
> be an exception to this if robust enough)
Yep, that is a decent rule. But if you control your routing domain (AS,
different prefixes), less external issues that can happen ;)
Many of these rules btw are tested with https://www.zonemaster.net/
Though, one will see that many of the big sites do not have that; but they also
use MM, and have 24/7 teams to fix things.
> - don't have the account registrar credential emails all within the
> domain, nor with personal emails like gmail. do have them all under
> control of your IT
Accounts in different domains can be indeed a rather good one to think about,
definitely for communication when the main domain is broken, at least the other
domains are then on file for contacting.
Hopefully those email addresses cannot be used for account recovery, as then
one increases risk again.
> - protect all account credentials with strong passwords, MFA
> - have MX for your domain either with a very large provider or across
> multiple domain names
>
> It's painfully easy to fall off the internet and be unreachable if
> you're not thinking about all this for business critical domains. You
> don't ever want to be hoping that some customer kept your NOC phone
> number in their phone. ;)
Indeed; The weakest point is where the chain breaks... one can have a simple
chain or a very distributed chain.
Greets,
Jeroen
