I’m using NearlyFreeSpeech.net (NFS) for some web and DNS hosting. It’s pretty cheap and has plenty of controls - just right for the technical person like me.
However, the recent DDOS (Distributed Denial of Service) attack has shown me that their network is not resilient at all. Particularly, I’m concerned with DNS service. Commercial DNS offerings are meant to use geographically distributed servers NOT all on one network.
Couple of weeks ago, there was a network hardware failure at CrazyDomains.com.au. All of their web sites were down, but the DNS kept going. This is the way it’s supposed to be done.
Now, I’ll probably move all the domains to Zerigo.com and take advantage of their API and domain templates. I was thinking of using the DNS service offered by Linode.com when you sign up to one of their VMs. However, I feel I should go with a dedicated DNS hosting provider this time, not some free or cheapish add-on to hosting.
To conclude, I would like to say that there really aren’t many good DNS hosting services available.
Tags:
dns
hosting
technical
advice
Here is a simplified way to verify domain name ownership by third party services.
Method:
Store a hash (e.g. MD5) of domain password in a TXT record in the domain zone.
Example:
blog.andrei.md TXT publichash:sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
When I go to a blog provider and tell them to use blog.andrei.md as a domain name, instead of just trusting that I own the domain, the verification goes something like this:
I create public hash:
sha1(“hello”) -> aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
and update my DNS zone to reflect that
I supply my domain name to the service provider:
blog.andrei.md
Service provider looks up the TXT record and extracts the part that starts with “publichash:” and ends with a whitespace character (publichash:[\w]+). From there, they determine that the hash is in sha1 format and extract the hash.
Service provider asks me for a password.
I enter “hello”
They compute and verify that hashes match
That’s it, a service provider has verified that I know the domain password and can assign it to my account on their system. This is kind of what Google does when you verify their domain with them. Google asks you to do it via a CNAME, which I don’t find as pretty because you’re polluting your domain space with Google-specific one-time-use record which serves no purpose other than to verify ownership.
Now, in order for domain to point to the new service provider, we’ll still need a CNAME record (good) or an A record (bad) so that browsers and other systems can resolve the address to the new system.
In some cases this can be done with just a CNAME record. For example imagine there’s a blog system on blog.example.com. I signup and get my new shiny blog address andrei.blog.example.com - YAY! Shiny it may be, but I still want to keep it under my domain name for more reasons than one. So I create a CNAME record like so:
blog.andrei.md CNAME andrei.blog.example.com.
The imaginary interface at blog.example.com would then ask me to for my new domain name and after looking up the CNAME record and checking that it points to my blog subdomain on their system, they enable it. This would do the trick in most cases where there’s a one-to-one mapping between the domain and the service provided.
However, if you want to represent the domain somewhere or add “verified” links to it, another system is required. What’s a verified link? If you’re leaving a comment on some blog, how does that blog verify that the URL that you leave in the “www” box is truly yours?
I could also wildcard the whole domain to this one password like so:
*.andrei.md TXT publichash:sha1:aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
Of course, if a hash is out in the open, anyone can retrieve it and try to reverse engineer the password on their super hardware. We wouldn’t want to take all the fun away from life and make it super secure, would we? However, I believe that the convenience could outweigh the occasional potential security risk.
Anyway, take it or not, it’s just an idea that I need to get out of my head and into the net so it doesn’t get lost and I’m free to think of something else.
I am Andrei Railean of SITER Internet Solutions and I make internet better by performing worldwide web development and maintenance projects from Sydney, Australia.
Tags:
dns
security
technical
