[dns-operations] good one was Re: DNSSEC impact ...

Mark Andrews Mark_Andrews at isc.org
Thu May 29 01:01:12 UTC 2008


> Mark,
> 
> This is a fairly pointless course of discussion.  You are way beyond 3  
> standard deviations from the mean in terms of ability to even  
> understand what the problem is.  I'd estimate somewhere close to 99%  
> of folks on the Internet have no idea even what the DNS _is_, much  
> less how to debug a DNS delegation, much less why DNSSEC validation  
> failed.
> 
> A typical end user will get a web page that gives them a bunch of  
> options they almost certainly won't read or they'll get an  
> indecipherable (to them) e-mail bounce notification or their IM client  
> will complain in gibberish (to them). All they will know is that they  
> can't get their pr0n from the intertubes when they were able to get to  
> it yesterday and they "didn't change anything, dammit i hate these  
> stupid computers!".
> 
> Their reaction will be to call "technical support", be it their ISP  
> call center, their son, grandson, geeky friend, etc.  The folks  
> receiving those calls might tolerate them for a while, explaining in  
> patient detail what possibly could have gone wrong, exploring a few  
> options to fix it, but in the end, they'll tell their client /  
> parent / grandparent / friend "turn the damn thing off" to protect  
> their own bottom line / sanity.
> 
> I suspect folks at ISP help desks would have trouble debugging even a  
> DNS delegation mistake.  Suggesting folks use "dig" and "date" to  
> figure out why they can't get to www.people.com is just being silly  
> (does MS Windows even have dig?).

	No, I'm suggesting that ISP or anyone else that normally
	debugs DNS issues don't need new tools to debug DNSSEC.
	They already have the basic tools they need.

	The original claim was that new tools were needed which I
	disputed.  One can have fancier tools but they are unlikely
	to find things the simpler tools don't.

	Now you can wrap those tools up in a fancy web page if you
	want.  That's all the existing delegation checking web pages
	do.  I also suspect delegation checking web pages will grow
	DNSSEC checks as time goes by.  Some probably already do.

	e.g.
		DS vs DNSKEY
			Id's and algorithms is initially enough,
			though full hashes would be better.
		Valid signature times.

	Mark

> Regards,
> -drc

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the dns-operations mailing list