[nsp-sec] ccTLD Security - What are your top 5 "security" recommendations?
Nick Hilliard
nick at inex.ie
Fri Mar 11 11:05:14 EST 2011
On 11/03/2011 14:43, Barry Greene wrote:
> Q. In your shoes, what would you think are the top 5 security
> recommendations you would give to a ccTLD operator? What would to make
> _their_ life more security and reduce their OPEX? What would make the
> _industry's_ life "more secure?"
One thing that's always bothered me about cctlds is the number of third
party people with root access on cctld servers, and therefore with write
access to the domain within specific communities. Over the past couple of
years, this has improved massively, and many cctlds have taken steps to
ensure that they have sole access to the machines hosting their
secondaries, but I would argue that it is still a significant problem which
affects a large number of domains.
.ie is a good example. It uses 9 nameservers, of which 7 are controlled by
5 administratively separate organisations. An engineering compromise of
any of those 5 organisation could lead to false dns data being published.
How many people within those 5 organisations have root access? How many
people world-wide have write access to all cctlds?
DNSSEC will help against this (one of the few unique selling points of DNSSEC).
Nick
More information about the nsp-security
mailing list