[dns-operations] thoughts on DNSSEC

Andrew Sullivan ajs at anvilwalrusden.com
Thu Jul 19 16:27:42 UTC 2012

On Thu, Jul 19, 2012 at 12:03:22PM -0400, James M Galvin wrote:

> For the remaining 20% I'll assert that they are technically
> competent, which means if they have fat finger issues, well, we've
> all had those problems.  You get what you deserve and pay for.  What
> I mean is, these folks will either be doing their DNS themselves,
> because they can, or they will be using a third-party service
> provider.  In either case, with any luck they will be using a
> registrar with a higher level of service because they understand the
> risks and don't want the service interruption.  If they're not then
> they'll have a "mistake" and they'll change registrars because they
> will learn from their "mistake".
> In other words, the probability of a problem for the 20% is much
> lower than the probability of a problem for the 80%.  And it is the
> problems in the 20% that will be most visible.

On the basis of the experience I have with Dyn, I think the above is a
little too glib.

First, Dyn's enterprisey customers are indeed mostly in that 20% group.
But they cannot stand _any_ downtime.  So it's critical to them that
Dyn ensure that can't happen.  Where Dyn is the registrar, that's
relatively easy.  But where Dyn is not, we have a bigger problem.
Other registrars are frequently not that co-operative with their

Many large companies have responsibility for the domain name
registration "ownership" in their legal departments, not their
technical ones.  For historical reasons, domain names are seen as
intellectual property, and therefore the legal department is in
charge.  The technical people with a clue don't have the ability to
insist that registrar changes happen for mere reasons of technical



Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list