[dns-operations] good one was Re: DNSSEC impact ...
drc at virtualized.org
Wed May 28 23:50:36 UTC 2008
This is a fairly pointless course of discussion. You are way beyond 3
standard deviations from the mean in terms of ability to even
understand what the problem is. I'd estimate somewhere close to 99%
of folks on the Internet have no idea even what the DNS _is_, much
less how to debug a DNS delegation, much less why DNSSEC validation
A typical end user will get a web page that gives them a bunch of
options they almost certainly won't read or they'll get an
indecipherable (to them) e-mail bounce notification or their IM client
will complain in gibberish (to them). All they will know is that they
can't get their pr0n from the intertubes when they were able to get to
it yesterday and they "didn't change anything, dammit i hate these
Their reaction will be to call "technical support", be it their ISP
call center, their son, grandson, geeky friend, etc. The folks
receiving those calls might tolerate them for a while, explaining in
patient detail what possibly could have gone wrong, exploring a few
options to fix it, but in the end, they'll tell their client /
parent / grandparent / friend "turn the damn thing off" to protect
their own bottom line / sanity.
I suspect folks at ISP help desks would have trouble debugging even a
DNS delegation mistake. Suggesting folks use "dig" and "date" to
figure out why they can't get to www.people.com is just being silly
(does MS Windows even have dig?).
On May 28, 2008, at 4:01 PM, Mark Andrews wrote:
>> At 6:47 -0700 5/28/08, Wes Hardaker wrote:
>>> On Wed, 28 May 2008 09:03:53 +1000, Mark Andrews <Mark_Andrews at isc.org
>>> > sa
>>> MA> So far I've been able to pin point 100% of DNSSEC operational
>>> MA> failures with "DiG" and "date".
>>> But can your grandmother?
> My grandmothers are both deceased so, no, I don't think they can.
> I believe I could teach my mother to and she is 70+.
>> I was going to remark with the more droll "Mark you use three tools,
>> dig, date and a brain that understands DNSSEC."
> What you need to know debug configurations is significantly
> less that what you need to know to build a validator.
> To debug a configuration you assume the crypto part always
> succeeds. What's left is just time stamps and finding
> matches between small numbers. You just need a few simple
> DNSSEC configuration checking is simpler than checking a
> plain DNS delegation.
>> But Wes' answer is better. A "good one" to (West) Wes.
>> Let's not forget the value of being a really knowledgeable person
>> when it comes to figuring out what is needed to operate something.
>> (Or having access to robust hardware/software.)
>> This is not unique to DNSSEC.
>> Edward Lewis
>> Never confuse activity with progress. Activity pays more.
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
> dns-operations mailing list
> dns-operations at lists.oarci.net
More information about the dns-operations