[dns-operations] Unplanned DLV zone outage on 2009-Apr-06

[David Conrad]

On Apr 6, 2009, at 8:48 PM, Paul Vixie wrote:
> so DLV is a bet that people really do want DNSSEC and that the root  
> really

> will not be signed in production fast enough to address that need.

FWIW, I now expect the root to be signed before the end of the year  
but given the ITAR, I'm not sure how much that actually matters.  TLDs  
and their children are, of course, another issue.

> but i
> don't think we can "fix IANA" (if by that you mean sign the root and a
> bunch of TLDs) fast enough to meet the world's appetite for DNSSEC.

My guess is that a few more instances of high level signing and/or key  
management failures that result in large chunks of the Internet going  
dark will have the same effect on the world's appetite for DNSSEC that  
Syrup ofIpecac would have.  Human (or at least network operator)  
nature being what it is, the benefit DNSSEC might bring will be  
completely overwhelmed by the cost of a few customer support calls.

Note that this isn't a slam against ISC, rather it is a natural  
outcome of the stage of DNSSEC deployment and the limited benefit  
DNSSEC provides to the end user given the current deployment model.

> DLV has no such strings.

Heh. I suspect it safe to say that political strings will attach  
themselves if DLV gets any real traction.

> but it sounds like you don't
> have any specific gripes against ISC's key management policies (as  
> in, who we
> trust and why, and what an appearance of a DLV RR in the DLV  
> registry means.)
> barring such specifics, let's move on.

I personally don't have any specific gripes about ISC's key management  
policies because I don't know what they are.  I obviously know what  
IANA's are and know where the holes and weaknesses are and the steps  
IANA staff takes to try to address them.  Equally obviously, I can't  
say the same about DLV.  I know what's in the IANA ITAR and can (if I  
cared) verify the entire contents by hand.  No idea what is in the DLV  
or who put it there.  With IANA's ITAR, I know the parties that I have  
to trust (IANA staff, GoDaddy for the EV Cert on the web page, and the  
contacts for the TLDs as specified in the IANA whois database). I  
don't know who I'd have to trust for DLV.

But that's not why I think DLV is a stunningly bad idea.

DLV is a stunningly bad idea because it implies that I, as a caching  
server operator, would need to share fate with ISC's DLV  
infrastructure from polices to processes to software to hardware over  
all of which I'd have no control and I'd have to share that fate _in  
real-time_. You guys screw up, I lose instantly.  As empirically  
demonstrated recently, this is a bit risky.  One could argue that I'm  
already screwed since I share fate with the root servers in a similar  
way, but as you yourself so frequently point out, the root servers are  
independently run and there are a bunch of them with their own  
policies and processes whereas DLV is run by ISC only.

But those concerns are probably just me being paranoid...

Regards,
-drc