RFC 2010 (rfc2010) - Page 3 of 7
Operational Criteria for Root Name Servers
Alternative Format: Original Text Document
RFC 2010 DNSSVR Criteria October 1996
2.2. UDP checksums. UDP checksums must be generated when sending
datagrams, and verified when receiving them.
Rationale: Some vendors turn off UDP checksums for performance
reasons, citing the presence of MAC-level frame checks
(CRC, for example) as "strong enough." This has been
a disaster in actual practice.
2.3. Dedicated host. A name server host should have no other
function, and no login accounts other than for system or network
administrators. No other network protocols should be served by a
name server host (e.g., SMTP, NNTP, FTP, et al). If login is
permitted from other than the system console, then the login service
must be by encrypted channel (e.g., Kerberized and encrypted
rlogin/telnet, the secure shell (SSH), or an equivilent).
Rationale: Each additional service performed by a host makes it
less reliable and potentially less secure, as well as
complicating fault isolation procedures. While name
service does not consume very much in the way of system
resources, it is thought best that a host do a few
things well rather than many things poorly.
2.4. Clock synchronization. A name server host should synchronize
its clock using the NTP protocol (currnet version) with
authentication. At least two NTP servers should be used. As an
exception to section 2.3 above, a name server host can be an NTP
server as well.
Rationale: For distributed fault isolation reasons, synchronized
time stamps in system event logs are quite helpful.
NTP is easily spoofed by UDP blast attacks, thus the
requirement for authentication between the name server
host and its NTP servers. A name server host is
allowed to be an NTP server because it has been
observed that a single host running both name service
and stratum 1 NTP is still quite reliable and secure.
2.5. Network interfaces. Name servers must send UDP responses with
an IP source address (and UDP source port number) equal to the IP
destination address (and UDP destination port number) of the request.
Also, a name server might have multiple real interfaces, but only one
will be advertised in the zone's NS RRset and associated glue A RRs.
The advertised address should be that of the "best" interface on the
host, in terms of network performance and reliability to the largest
number of destinations.
Manning & Vixie Informational