[BBLISA] maximizing DNS security
Bill Bogstad
bogstad at pobox.com
Fri Apr 2 14:46:53 EDT 2010
On Fri, Apr 2, 2010 at 2:06 PM, Tom Metro <tmetro+bblisa at vl.com> wrote:
> Plain DNS has plenty of security problems, but what are the best
> practices for maximizing your DNS security. Specifically I'm wondering
> about how outsourced DNS, which leaves you open to social engineering
> attacks, compares to in-house management.
You could become an accredited domain registrar:
http://www.icann.org/en/registrars/accreditation.htm
Barring that, you are going to be subject to social engineering
whoever you use.
It seems like you need to find one who charges enough money to make it
profitable for them to institute real security mechanisms. This could
have reasonable ease of use. Perhaps one who requires you to submit
SSL client certificates when you register your domains with them.
All further changes would be done via the web with that certificate.
If someone else gets a copy, they ARE you (and you have no recourse).
Or for the ultimate in security make it like PGP key signing. You
have to show up in person with two photo ids in order to make any
changes to your domain. Maybe an RSA SecurID
card for two factor identification. Perhaps a little expensive, but
how much is control over your domain worth?
The thing is you are not going to get this for $10-20 dollars a year
for a handful of domains. You might get it for a few hundred dollars
in up front account setup costs and then a reasonable $20 a year per
domain added to that. That's assuming that enough people care about
this to make economies of scale work.
Bill Bogstad
More information about the bblisa
mailing list