[dns-operations] good one was Re: DNSSEC impact ...

Wes Hardaker wjhns1 at hardakers.net
Thu May 29 14:08:48 UTC 2008

>>>>> On Wed, 28 May 2008 19:38:41 -0400, Edward Lewis <Ed.Lewis at neustar.biz> said:

EL> We aren't comparing the knowledge needed to debug DNSSEC with the 
EL> knowledge needed to build a validator.  We are comparing the 
EL> knowledge needed to debug DNSSEC with the knowledge needed to, um, 
EL> brush one's teeth.

More importantly, without user-level messages that indicate the source
of the problem the only information a teeth-brusher can offer their poor
tech-supporting relative is

   "my internet doesn't work".

And invariably the answer to what's wrong will be

   "it says it can't connect; something about domain name not found".

At that point the tech support guy has a multitude of potential problems
to chase down.  He wouldn't know if it's a network problem, a resolver
problem, a application problem, a DNSSEC problem, a ....

Imagine, though, if you got a report saying "my internet is broken; it
says that DNS validation failed for 'www.hax0r.com'".  You have just
removed 95% of the things to debug over that 4kHz bandwidth inefficient
analog to digital converter we call "the human at the other end of the

What I've always said we need is user-friendly errors with
system-administrator friendly help.  I now present to you the error
messages that applications should be displaying for their end-users:

|                                                                         |
| I'm sorry, we've encountered an error.                                  |
|                                                                         |
|     Your error:             The Internet Is Broken.  Sorry about that.  |
|                                                                         |
|     When your nephew asks:  DNSSEC validation failed for www.hax0r.com  |

"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett

More information about the dns-operations mailing list