secure DNS hosting?

[Ori Berger]

Amos Shapira wrote:
> What are you refering to by "server certificates, client certificates,
> RSA tokens etc"? Are you talking about DNS-SEC or just general web
> server security practices?
>   
General web server security practices; A server certificate tells the 
client that this server has been trusted by a known certificate 
authority to serve a specific domain. That's not perfect, as hackers 
have already demonstrated being able to get certificates for domains 
they do not own, and a specific certificate signing bug (since patched) 
allowed certificates for specially crafted domain names to pass as 
certificates for other domains.

It does, however, make life harder for the hacker and works well against 
simple "man-in-the-middle" attack.

A client certificate proves to your server that the client posses a 
certificate, without sending it online. This provides some defense 
against a man-in-the-middle attack or keyboard logging/password sniffing 
-- but of course, not helpful if the client machine was compromised and 
rooted.

RSA tokens (I'm sure there are other manufacturers) are small devices, 
usually credit card sized, that display a password that keeps changing 
every minute. Identity is verified by the client having access to the up 
to date password at log-in times and when performing sensitive actions.

> I'm at the "reading the brochure" stage and google'ing a bit about
> them but one of the points I think I got through is that they have
> their own servers and cooperation with major ISP's in many places
> around the world in order to reduce the exposure to external DNS
> vulnerabilities.
>   
That sounds like good practice. Make sure that this is true regarding 
where your clients are located; e.g. they might have wonderful 
infrastructure in the US but not in Australia, or vice versa.