Versions Compared

Version Old Version 7 New Version 8
Changes made by

Steven Kim

Steven Kim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. MUST: Do not mix authoritative and recursive name servers on the same DNS infrastructure.
  2. MUST: Use at least two distinct nameservers for any given zone. Solutions using a load balancer in front of multiple servers usually aren’t practical because they don’t easily allow for geographical diversity, introduce complexity, and risk overloading stateful systems in case of D/DoS type traffic patterns.
  3. MUST: Have software diversity. For a given zone with two or more published authoritative nameservers, all nameservers must not be running the same authoritative DNS software package. Use software from two or more vendors.

  4. MUST:

    Geographical / Topologically distributed auth. Servers

    Authoritative servers must be geographically and topologically distributed. (RFC2182)

    1. MUST: All authoritative servers for a given zone must not be placed on the same network infrastructure. This includes the following:

      1. All the authoritative servers for a given zone must not be placed on the same subnet

      2. All the authoritative servers for a given zone must be in different physical locations (not the same rack and room).

      3. SHOULD: All the authoritative servers for a given zone

      must

      1. should not be placed within the same Autonomous System.

      2. SHOULD: All the authoritative servers for a given zone should be in different geographical areas (preferably different cities or regions).

  5. MUST: Enable monitoring of your services, servers, and network equipment that make up your DNS infrastructure.

...