Complete explanation of in-bailiwick

Wed Jul 30 00:14:25 UTC 2003

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joseph S D Yao wrote:
>
> There's also some vagueness as to what constitutes your "bailiwick".
> Again, it's whatever is under your control.  But you mention delegation.
> So, do your subdomains trust you enough to have the bailiwick be
> "gwu.edu"?  Do you trust them enough to delegate bailiwicity?
> ["bailiwicity"????]

Your subdomains have to trust their parents. You can always screw over
your subdomains (*.subdomain.example.com. 9999999 IN A 127.0.0.1), the
point is minimizing the number of servers you have to trust.

If it is the meaning and not the letter of the method, delegating
authoritative name servers for subdomains is to be avoided unless there
are compelling reasons, as you are increasing the number of points you
have to defend against attack.

I always treated the term as one method of not having to rely of servers
randomly distributed across the globe for correct resolution, you can
achieve the same effect by other means, but the point is to ensure you
only trust the smallest set of servers necessary to achieve reliable
operation.

Of course the big design flaw is the root name server organisations,
trusting 13(+?) servers, when you could be trusting 1 (or more!) digital
signatures, but at least even pointy haired bosses usually understand
the root name servers need to be secured.

> ISTM that it's a bit of a red herring, though, unless you KNEW, e.g.,
> that auth4.dns.rcn.net were an MS W'95 machine on a public corridor
> that could be messed with by any passerby who knew what it was.  And if
> you knew that, why would you ask them to serve as one of your name
> servers?  ;-)

No the problem is if you use out of baliwick servers you risk spreading
the trust across machines that don't need to be involved in resolving a
name.

osis.gov relies on the root servers, the .gov servers, but also the
ans.net servers, and thus the .net servers, not to mention the uu.net
servers.

Okay someone compromising the uu.net name servers might have a lot of
work to do to intercept OSIS.GOV email, but that it is even
theoretically possible should be of concern. There are at least a dozen
extra servers involved in the correct answer to a OSIS.GOV querys than
is necessary, 12 more places to get hacked.

It happens in this case that ans.net and uu.net are closely related so
you could probably exert some influence to get things fixed quickly if a
problem arose (or extract reparations for bad service), the same can't
necessarily be said for many of the organisations involved in hosting
many of the country code TLD. Indeed many big European countries TLD
domains are hosted in so many diverse domains that almost any compromise
of a significant european DNS server could result in serious
repercussions for many unrelated organisations in many other european
countries.

The most surprising thing is it hasn't happened more often on an
embarassingly large scale. Especially since given the number of times
I've found and reported lame servers in CCTLD, it is apparent many of
the countries involved hope there is someone with a clue somewhere
watching over such details, when there clearly isn't any such person.

Keeping delegation inbaliwick is the simplest method to keep the problem
from growing, even if rcn.net is sound today so you get them to host
your domain frm ns1.rcn.net, they might be bought up tomorrow by
ANISP.COM, who moves the delegation of rcn.net name servers to
ANISP.CO.UK, and suddenly your delegation is affected by Dutch, French,
Swedish, German, Pipex, Janet, and NIC.UK name servers, to name a few.
Where as if all new delegations are inbaliwick you can never make the
problem worse than it already is.

Of the major European countries Germany seems most clueful on DNS. Some
major UK domains look weird, I guess we have more of a legacy of
friendly academic network to live down.

Your paranoia may very.