[dns-operations] thoughts on DNSSEC

Thu Jul 19 17:43:17 UTC 2012

-- On July 19, 2012 12:27:42 PM -0400 Andrew Sullivan 
<ajs at anvilwalrusden.com> wrote regarding Re: [dns-operations] thoughts 
on DNSSEC --

> > In other words, the probability of a problem for the 20% is much
> > lower than the probability of a problem for the 80%.  And it is the
> > problems in the 20% that will be most visible.
>
> On the basis of the experience I have with Dyn, I think the above is a
> little too glib.
>
> First, Dyn's enterprisey customers are indeed mostly in that 20%
> group. But they cannot stand _any_ downtime.  So it's critical to
> them that Dyn ensure that can't happen.  Where Dyn is the registrar,
> that's relatively easy.  But where Dyn is not, we have a bigger
> problem. Other registrars are frequently not that co-operative with
> their competitors.

Yes but you're changing the point of view.

I'll agree that from the point of view of the service provider there 
should be a high degree of concern.  And in some cases, e.g., the one 
you describe, the service provider is at high risk because they don't 
control the complete set of circumstances.  It is for this reason I 
think that DNSSEC should change the business model and service and, to 
the extent that the risk in these types of scenarios decreases, we can 
claim that DNSSEC is effecting change. (This goes back to something I 
said in my original message that you did not excerpt.)

But from the point of view of the domain holder, if they are truly in 
the 20% and this matters, then they realize the high risk situation 
they are in and they'll do something about engaging with a registrar 
with a higher level of service (whether that's you or not).  If they 
don't realize the risk then you can do your best to educate them, as 
part of your sales process or account management.  If that doesn't work 
then they're only hurting themselves.  I'll concede that you may lose 
business if they make a mistake that "costs them" but these are the 
kinds of events that have to happen so we can raise broad awareness and 
the business model and service can change.

Nobody ever said capitalism was perfect or fair.

> Many large companies have responsibility for the domain name
> registration "ownership" in their legal departments, not their
> technical ones.  For historical reasons, domain names are seen as
> intellectual property, and therefore the legal department is in
> charge.  The technical people with a clue don't have the ability to
> insist that registrar changes happen for mere reasons of technical
> clue.

You're right.  I completely agree.  But this falls in to the "mistake" 
category I've mentioned.  Organizations with this "problem" will 
eventually have a "mistake" from which they will learn the error of 
their ways.  As above, any given service provider may lose business, 
even if they tried to educate the customer, but these things have to 
happen in order to effect real change.

In the meantime, we the technical people should continue to find the 
best solution to the technical problem at hand - getting key 
information from the child zone to the parent zone.  Maybe we can get 
fix the problem before too many more people have to "make the mistake" 
and "learn the lesson".

Jim