[dns-operations] Documenting root slave operation Re: The (very) uneven distribution of DNS root servers on the Internet

Thu May 17 19:51:46 UTC 2012

On Thu, May 17, 2012 at 02:21:58PM -0400, Olafur Gudmundsson wrote:
> I think the point that PaulV has been making is lets document the
> best practices and learn from past mistakes and contain errors.

And the point that I (and, not to speak for him, I think Joe) was
making was that there are no best practices here that are in any way
better than "collaborate with someone who'll happily give you a root
feed given that they know about you".  The alternatives are all
degenerate from that.

> I can easily envision the document covering this case by saying:
> "if you provision a root zone copy in your organization all your
> resolvers SHOULD do DNSSEC validation"

And so there you are, DiscountISPCorp, and you're following the best
practices.  You will ensure such DNSSEC validation how, exactly?

You seem to be missing the point of what I was arguing (and what I
think Joe was arguing): a significant number of people who will claim
to take this advice will be so clueless as to be incapable of
following it.  The people who don't fall into that camp don't _need_
the advice, because they already know they need to check their logs
and so on.  They can already AXFR the root zone from the many places
where it's available.

If one publishes a BCP on this, then there will be a class of
organization in which clueless managers instruct hapless lackeys to
implement something because it is best.  The lackeys will immediately
say, "Yes sir/ma'am," go and turn it on, and do absolutely nothing
about monitoring and so on; and since the failure to do most of the
best practices will be invisible as long as everything is working, the
lackeys will have done their job.  They'll move on.  Months or years
later, there will be a problem and everyone will cast the blame in the
wrong place.  This will cause public consultations in which the "root
cause" will be identified as some perfectly reasonable change to the
root zone operational procedures, and there will be yet more totally
stupid pressure to change root zone operations in order to ensure that
someone's minister's brother isn't embarrassed.

My employer has a customer support department, and I look at this plan
and see my employer's money being flushed away for absolutely no
discernible benefit to the gross Internet population.  What is this
supposed to solve?  The dubious problems observed in the pingdom
blogpost?

It's not like we have no example of why this sort of one-way
distribution with no co-ordination causes problems: AS112 has the same
problem.  There have been suggestions of altering what AS112 serves,
and every time someone points out that it's hard because we don't know
whether everyone participating in AS112 actually follows all the
rules.  For AS112, this seems to me like a perfectly acceptable
answer.  For the root zone, it does not.

Best,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com