[dns-operations] good one was Re: DNSSEC impact ...

David Conrad drc at virtualized.org
Wed May 28 23:50:36 UTC 2008 

Mark,

This is a fairly pointless course of discussion.  You are way beyond 3  
standard deviations from the mean in terms of ability to even  
understand what the problem is.  I'd estimate somewhere close to 99%  
of folks on the Internet have no idea even what the DNS _is_, much  
less how to debug a DNS delegation, much less why DNSSEC validation  
failed.

A typical end user will get a web page that gives them a bunch of  
options they almost certainly won't read or they'll get an  
indecipherable (to them) e-mail bounce notification or their IM client  
will complain in gibberish (to them). All they will know is that they  
can't get their pr0n from the intertubes when they were able to get to  
it yesterday and they "didn't change anything, dammit i hate these  
stupid computers!".

Their reaction will be to call "technical support", be it their ISP  
call center, their son, grandson, geeky friend, etc.  The folks  
receiving those calls might tolerate them for a while, explaining in  
patient detail what possibly could have gone wrong, exploring a few  
options to fix it, but in the end, they'll tell their client /  
parent / grandparent / friend "turn the damn thing off" to protect  
their own bottom line / sanity.

I suspect folks at ISP help desks would have trouble debugging even a  
DNS delegation mistake. Suggesting folks use "dig" and "date" to  
figure out why they can't get to www.people.com is just being silly  
(does MS Windows even have dig?).

Regards,
-drc

On May 28, 2008, at 4:01 PM, Mark Andrews wrote:
>> At 6:47 -0700 5/28/08, Wes Hardaker wrote:
>>> On Wed, 28 May 2008 09:03:53 +1000, Mark Andrews <Mark_Andrews at isc.org 
>>> > sa
>> id:
>>>
>>> MA> So far I've been able to pin point 100% of DNSSEC operational
>>> MA> failures with "DiG" and "date".
>>>
>>> But can your grandmother?
>
> 	My grandmothers are both deceased so, no, I don't think they can.
>
> 	I believe I could teach my mother to and she is 70+.
>
>> I was going to remark with the more droll "Mark you use three tools,
>> dig, date and a brain that understands DNSSEC."
>
> 	What you need to know debug configurations is significantly
> 	less that what you need to know to build a validator.
>
> 	To debug a configuration you assume the crypto part always
> 	succeeds.  What's left is just time stamps and finding
> 	matches between small numbers.  You just need a few simple
> 	rules.
>
> 	DNSSEC configuration checking is simpler than checking a
> 	plain DNS delegation.
>
>> But Wes' answer is better.  A "good one" to (West) Wes.
>>
>> Let's not forget the value of being a really knowledgeable person
>> when it comes to figuring out what is needed to operate something.
>> (Or having access to robust hardware/software.)
>>
>> This is not unique to DNSSEC.
>> -- 
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
>> =-=-=-=-
>> Edward Lewis                                                 
>> +1-571-434-5468
>> NeuStar
>>
>> Never confuse activity with progress.  Activity pays more.
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations
>

More information about the dns-operations mailing list