[dns-operations] No public calendar for the root signing deployment

Phil Regnauld regnauld at nsrc.org
Fri Dec 11 08:02:51 UTC 2009


Stephane Bortzmeyer (bortzmeyer) writes:
> 
> But, again, my experience matches the one of Gaurab Raj Upadhaya, the
> most important problem is with *configuration*, not with
> software. There are not many full-fledged resolvers behind the small
> hardwired CPEs. But there are many resolvers (and users) behind
> misconfigured firewalls. So we need to reach the firewall managers,
> not only the vendors.

I agree with Gaurab and Stéphane.  Remember that many
of us here have both hats (network adm. and DNS operators) on,
and maybe tend to forget that a lot of firewall/network admins
follow vendor rules by the book or don't understand the protocols.

I'm still struggling with customers that filter UDP/53 from the
hidden SOA to the slaves, because they don't know know about
notify.

If the goal is to make the transition less painful for everyone
(users, helpdesks getting calls, network admins being called in
late because "the nOtwork is broken again"), then it might pay
off to sensitize the men in the middle.  Bonus points: they learn
about this thing called DNSSEC, and while they may not care or
understand the details, they know they need to prepare for it
in good time, talk to their vendors and ask for updates (just
like for any application deployment request within the organisation).

As Randy Bush puts it "We just build the highway, we don't fix
your car", but it sure looks stupid when they get to the bridge
and it's too small for their SUV ;)

Phil



More information about the dns-operations mailing list