[dns-operations] My DNS, my rules (was isphuset.no/fsdata.se DNSSEC breakage)

Shane Kerr shane at time-travellers.org
Tue Sep 6 03:45:33 UTC 2016


At 2016-09-05 10:53:29 -0700
Doug Barton <dougb at dougbarton.us> wrote:

> On 9/5/2016 10:09 AM, Andrew Sullivan wrote:
> > So, to be clear,
> >
> > On Mon, Sep 05, 2016 at 12:32:04PM +1000, Mark Andrews wrote:  
> >>
> >> After another week or so request that .NO remove the delegations,
> >> if it is still not fixed.  
> > […]  
> >> There has to be a penalty for continuing to use nameservers that
> >> cause operational problems.  
> >
> > your recommendation for fixing the thing that causes some operational
> > problems is to make sure that the domain is broken for every possible
> > operational case.  Right?  
> No, the solution is to shift the pain to the entity responsible for the 
> zone, in the hopes that it motivates them to get it fixed. At worst, it 
> removes a zone that no one cares about from the 'net.
> You are espousing the traditional "We have to help people limp along no 
> matter how broken they are!" attitude that has suffused the DNS protocol 
> and operational communities for the last 20+ years. While on one hand 
> that seems a noble sentiment, it has seriously exacerbated the "long 
> tail" problem that has prevented (or made nearly impossible) any true 
> innovation in the space, even if such innovation is to fix the problems 
> this attitude has created.

The great thing about DNS is that it mostly aligns the costs and
benefits of the service.

If I just need a name so I can access my office printer while on the
road, then I can set up a single DNS server on my home network and it's
fine. If I have a web site that needs high availability and low latency,
then I can get DNS service as part of a massive CDN. Great!

If my DNS server breaks for DANE users, then that's a problem for me.
Or not. Maybe I don't care? Maybe I think DANE is morally wrong?
(There are people who think that DNSSEC is an attempt by governments
to be able to have backdoors into PKI.) Maybe I have a larger plan to
upgrade my network but I need to wait for the next budget cycle?


Trust me, if we actually had the Ministry of DNS with the DNS Police out
there making sure that everything was done According to The Rules, then
it would be politicians and not technical people deciding what had to
be done and it would be awful. Every time you click away a notice on a
website informing you that they use cookies, consider what you are
asking for when you want some sort of policy enforcement for DNS.


I totally understand your frustration with the DNS ecosystem being
crufty and old. I'm sure that Microsoft feels the same with users
running Windows XP. :)

I think that there are two separate but related threads here.

The first is in simply getting software updated. This is hardly unique
to DNS software, and plagues the computer world in general. Automatic
updates, containerization, and perhaps even dynamic software delivery
(you know, like when you get JavaScript on a web page) can play a part
in changing this in the future. All are being attempted in various
ways... who knows what will actually happen going forward?

The second is in allowing standards to move on without harming
compatibility of older implementations. DNS has a mixed track record
here... I think it can do a lot better but there doesn't seem to be
any appetite for this kind of work. Maybe if there was money to be
made in this area, but standards word in DNS has not traditionally been
very profitable. ;)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160906/15411cc7/attachment.sig>

More information about the dns-operations mailing list