We’ve run several DNS zones for Kolab Now, using an in-house hidden nameserver topology — in order to protect the keys used to sign DNSSEC zones, both the hidden topology as well as keeping as much of it in-house as possible, have been absolute musts.
More recently, we received a certain type of threat, causing us to evaluate the exposure of attack surfaces for the possible vectors such a type of attack could manifest attempting to exploit.
At such times an awful lot is relatively uncertain, and of all possible mitigation strategies available ahead of time, a certain number can only be properly evaluated, let alone applied, once the attack gets underway. You see, one assumed level of an attacker’s proper reconnaissance, offset against another, would either mitigate the effectiveness of mitigation strategies or be generally very darn effective (plus anything in between).
Long story short, you start scouting the web for DNS providers that can perform “secondary DNS server services”, but discard those that cannot facilitate the DNSSEC keys used to sign the zones in question, not living on their servers.
Furthermore, you will want to be able to “notify” your (external, third party) slave DNS servers (or, from the view of the Internet, the designated authority DNS servers), in order to prevent a significant lag in (IXFR) transfers as well as avoiding too many clicks in some web interface times however many zones.
Secondary to those first few considerations, you’ll want the provider to reside outside of the U.S., that is able to service DNS queries from many more countries than just your own, and that has IPv6 nameservers (more on that later).
In comes rcode0, the best of the bunch. Having scoured the Internet for possible and likely candidates, rcode0 provides me with the best of the best (albeit there be room for improvement) on what is currently out there on offer. I’m very happy to have found them, and very happy to continue to use their very affordable and (in my not so humble opinion) very superior services on offer.
FULL DISCLOSURE: There’s NO monetary incentive — no discount, no reimbursement, no whathaveyou — for me to plug them the way that I just did, none whatsoever.