[dns-operations] Operations vs. the lab (Was: What would it take...)

Doug Barton dougb at dougbarton.us
Wed Mar 11 19:32:10 UTC 2015

On 3/11/15 11:45 AM, Edward Lewis wrote:
> To sum up something - one thing I learned during my stints in operations -
> many of the assumptions held by protocol engineers and architects about
> how a protocol is put to work are far from reality.  (Not that the
> engineers and architects are wrong in their approach but the assumptions
> are wrong.)  I don't mean that operators are using bailing wire and duct
> tape to reap huge profits, but the approach to sound operational practices
> sometimes runs counter to what I learned to be sound in the lab.

Yes, I've been trying to make that same point for over 15 years now, and 
I keep getting "laughed off" too. :)

It's unfortunate that while on the one hand the IETF makes nice smoochy 
noises about wanting input from operators, on the other hand that input 
is usually ignored, or worse, the operators are told that they are 
wrong. My favorite example for DNSSEC was when I (and others of course) 
said way back in 2001 that it would never get off the ground without a 
way to prevent zone walking. We were routinely told that it was stupid 
to care about the contents of your zones, since that was all data that 
is published on the public Internet anyway.

My other personal favorite DNSSEC related example is during the big-bis 
roundup I (and again, others) said that we should eliminate SHA-1 from 
the spec and make SHA-256 the mandatory-to-implement algo, since even 
though the then-theoretical challenges to SHA-1 were not likely to 
impact DNSSEC any time soon, it would be better to future proof the 
solution, and the code for SHA-256 already existed. We were told that 
this was silliness, that we had to stop re-writing at some point, and 
that getting the thing out the door was more important than getting it 
perfect. Of course, the root zone signing did the right thing and used 
SHA-256, which of course now means that this is effectively mandatory to 
implement, and SHA-1 is now mostly a footnote.

All this is a long way around to saying that I agree with you, it's 
often true that what we think will work when we're in the lab doesn't 
work when it gets to production, and that feedback should be heeded.


(And of course, the observant reader will note that a lot of what I say 
above contradicts my position on NTAs. Unfortunately it is sometimes 
true that what is expedient for operators really does cause more 
problems than it solves.)  :)

More information about the dns-operations mailing list