[dns-operations] Key management and computer "mere mortals" (was: .Org DNSSEC key management policy feedback)

Andrew Sullivan ajs at shinkuro.com
Wed Jun 24 12:40:00 UTC 2009

On Tue, Jun 23, 2009 at 07:38:21PM -1000, David Conrad wrote:

> Then, depending on your definition of "manage", I suspect DNSSEC is  
> doomed and we should probably just give up and go home now. If your  
> model of operation is one in which people are constantly fiddling with  
> the validating server configuration and tolerating booboos that cause  
> validation to fail for arcane reasons, then you are assuming an  
> operational world that I am unfamiliar with.

As anyone can proably infer from my previous remarks, I agree
completely with David on this.  If we cannot come up with a model in
which DNSSEC is largely "set and forget" for the vast majority of
installations, then we have no hope of achieving widespread deployment
even at small and medium-sized ISPs, never mind the lofty goal of
pushing validation to the end nodes.  

Most system administrators are already stretched too thin anyway.
Asking them to deploy something that provides a mostly-invisible
benefit, that requires constant attention, but that has disastrous,
get-you-fired failure modes is not a request that will be granted.

I cannot believe, however, that a group of people as smart and
knowledgable as those I know to be working on this problem will be
unable to come up with a solution to it.  There are, in fact, already
some very fetching proposals available, and I think we can build on
those to make DNSSEC safe for mere mortals.  But we first have to
commit to that operational goal.

Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list