James M Galvin <gal...@elistx.com> wrote on 07/19/2012 12:03:22 PM: > I have evolved to what I consider a more practical view of this issue > over the years. I'm certainly open to reconsideration but here's what > I think today in one sentence: as a practical matter this is not a > significant problem.
True, but as DNSSEC adoption increases, significance will increase as well. > I absolutely believe we have a major gaping hole technically, so don't > get me wrong. We should absolutely be seeking better ways to get child > key information in to the parent zone. But that's a separate > discussion. Agreed, with the proviso that some method to upload key records needs to exist for all registrars. Many of use have seen great strides in software ease of use during our lifetimes. My parents had a neighbor who thought the greatest improvement in her lifetime was indoor plumbing. Someday, users will never have experienced insecure DNS queries. > Here's my rationale for what I believe. > > Consider the domain name market in an 80-20 split. I assert that for > 80% of the market none of this will matter. The 80% portion of the > market gets bundled services - domain name, email, web hosting, dns, > etc. In that market their DNSSEC services will simply be provided and > they will not know, care, or understand any of the problem you > describe. They will not know the difference between a web site failure > or some kind of DNS failure and they won't care. "Down" for 2 days: oh > well. They are going to get the same level of service for the DNS > failures as they do for their web site failures and they deal with this > just fine today. DNSSEC does not change this business model or service. I'm not sure I know anyone that won't be beaching up a storm with a 2 day outage. We are an organization that provides DNS, email and web hosting to over 100 schools and related organizations in the area. I guess that makes us part of the 20% for which this matters. We rely on outside registrars, and unfortunately we've been using Network Solutions for years. Until now, I have not had any complaints about them. They never screwed up anything on me. I guess if they don't allow me to upload DS records, I can't blame them for DNSEC failures. > We can have a discussion of whether or not DNSSEC should change the > business model or service. I happen to think it should. I also think > it will, in time, although I'm not going to try to predict it, except > perhaps to talk about events that will show the change is in progress. > But that's a separate discussion. > > For the remaining 20% I'll assert that they are technically competent, > which means if they have fat finger issues, well, we've all had those > problems. You get what you deserve and pay for. What I mean is, these > folks will either be doing their DNS themselves, because they can, or > they will be using a third-party service provider. In either case, > with any luck they will be using a registrar with a higher level of > service because they understand the risks and don't want the service > interruption. If they're not then they'll have a "mistake" and they'll > change registrars because they will learn from their "mistake". I like to think I'm somewhat competent, but also recognize I have limits on what I know and can do. I am reading all I can (hence being on this list) and testing with a non-production domain. I have fat fingered BIND and brought domains down. I've blown up mail servers and killed web servers. Own up, apologize and promise to not make the same dumb mistake again. I'm thinking my mistake here was thinking that a registrar would want to offer DNSSEC to it's customer. Perhaps it is time for me to acknowledge that mistake and work on moving domains to another registrar. There will be a lot of organizational inertia to overcome here to do so. When I requested transfer code for my personal domain, NetSol was all "boo hoo hoo, what can we do to keep you as a customer?" It's easy. Lower your prices. I will pay a premium for good service, but they are not providing that. And offer DNSSSEC to your customers. One of the times I spoke to their tech support, the person had no bloody clue what DNSSEC was. Hell, they could have have provided her with a buzzword chart list DNSSEC with a "we don't support that yet" answer. And she would not put me through to second tier support, insisting she could help me. > In other words, the probability of a problem for the 20% is much lower > than the probability of a problem for the 80%. And it is the problems > in the 20% that will be most visible. The problems in the 80% will > happen but are unlikely to have a significant on anything in particular. If I'm in the 20%, I'll do my best to prevent the problems. I hate being visible. See http://dilbert.com/strips/comic/1995-08-18/ One of my all time favorites!! > That's what I think. Thanks for sharing > Jim Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
