[dns-operations] My DNS, my rules (was isphuset.no/fsdata.se DNSSEC breakage)

Mark Andrews marka at isc.org
Tue Sep 6 04:56:21 UTC 2016

In message <20160906114533.736c0410 at pallas.home.time-travellers.org>, Shane Kerr writes:
> Doug,
> At 2016-09-05 10:53:29 -0700
> Doug Barton <dougb at dougbarton.us> wrote:
> > On 9/5/2016 10:09 AM, Andrew Sullivan wrote:
> > > So, to be clear,
> > >
> > > On Mon, Sep 05, 2016 at 12:32:04PM +1000, Mark Andrews wrote:
> > >>
> > >> After another week or so request that .NO remove the delegations,
> > >> if it is still not fixed.
> > > […]
> > >> There has to be a penalty for continuing to use nameservers that
> > >> cause operational problems.
> > >
> > > your recommendation for fixing the thing that causes some operational
> > > problems is to make sure that the domain is broken for every possible
> > > operational case.  Right?
> >
> > No, the solution is to shift the pain to the entity responsible for the
> > zone, in the hopes that it motivates them to get it fixed. At worst, it
> > removes a zone that no one cares about from the 'net.
> >
> > You are espousing the traditional "We have to help people limp along no
> > matter how broken they are!" attitude that has suffused the DNS protocol
> > and operational communities for the last 20+ years. While on one hand
> > that seems a noble sentiment, it has seriously exacerbated the "long
> > tail" problem that has prevented (or made nearly impossible) any true
> > innovation in the space, even if such innovation is to fix the problems
> > this attitude has created.
> The great thing about DNS is that it mostly aligns the costs and
> benefits of the service.

Until something breaks at which point the costs basically falls on
everybody else.  There are good reasons that excommunication is at
the end of the complaints proceedure in RFC 1033.  It force the
costs back on to the offending party when reasonable steps to get
a issue addressed fail to be effective.

> If I just need a name so I can access my office printer while on the
> road, then I can set up a single DNS server on my home network and it's
> fine. If I have a web site that needs high availability and low latency,
> then I can get DNS service as part of a massive CDN. Great!
> If my DNS server breaks for DANE users, then that's a problem for me.
> Or not.

It's also a cost for others.  If it was just a cost to you then nobody
would be complaining here.

> Maybe I don't care? Maybe I think DANE is morally wrong?
> (There are people who think that DNSSEC is an attempt by governments
> to be able to have backdoors into PKI.) Maybe I have a larger plan to
> upgrade my network but I need to wait for the next budget cycle?
> ---
> Trust me, if we actually had the Ministry of DNS with the DNS Police out
> there making sure that everything was done According to The Rules, then
> it would be politicians and not technical people deciding what had to
> be done and it would be awful. Every time you click away a notice on a
> website informing you that they use cookies, consider what you are
> asking for when you want some sort of policy enforcement for DNS.
> ---
> I totally understand your frustration with the DNS ecosystem being
> crufty and old. I'm sure that Microsoft feels the same with users
> running Windows XP. :)

Old and crufty is running a RFC 1034 server.  In this case they
have told they world they are running servers that supports DNSSEC
by publishing a DS record when in fact they are not.

> I think that there are two separate but related threads here.
> The first is in simply getting software updated. This is hardly unique
> to DNS software, and plagues the computer world in general. Automatic
> updates, containerization, and perhaps even dynamic software delivery
> (you know, like when you get JavaScript on a web page) can play a part
> in changing this in the future. All are being attempted in various
> ways... who knows what will actually happen going forward?
> The second is in allowing standards to move on without harming
> compatibility of older implementations. DNS has a mixed track record
> here... I think it can do a lot better but there doesn't seem to be
> any appetite for this kind of work. Maybe if there was money to be
> made in this area, but standards word in DNS has not traditionally been
> very profitable. ;)
> Cheers,
> --
> Shane

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list