On Thu, May 17, 2012 at 02:21:58PM -0400, Olafur Gudmundsson wrote: > I think the point that PaulV has been making is lets document the > best practices and learn from past mistakes and contain errors.
And the point that I (and, not to speak for him, I think Joe) was making was that there are no best practices here that are in any way better than "collaborate with someone who'll happily give you a root feed given that they know about you". The alternatives are all degenerate from that. > I can easily envision the document covering this case by saying: > "if you provision a root zone copy in your organization all your > resolvers SHOULD do DNSSEC validation" And so there you are, DiscountISPCorp, and you're following the best practices. You will ensure such DNSSEC validation how, exactly? You seem to be missing the point of what I was arguing (and what I think Joe was arguing): a significant number of people who will claim to take this advice will be so clueless as to be incapable of following it. The people who don't fall into that camp don't _need_ the advice, because they already know they need to check their logs and so on. They can already AXFR the root zone from the many places where it's available. If one publishes a BCP on this, then there will be a class of organization in which clueless managers instruct hapless lackeys to implement something because it is best. The lackeys will immediately say, "Yes sir/ma'am," go and turn it on, and do absolutely nothing about monitoring and so on; and since the failure to do most of the best practices will be invisible as long as everything is working, the lackeys will have done their job. They'll move on. Months or years later, there will be a problem and everyone will cast the blame in the wrong place. This will cause public consultations in which the "root cause" will be identified as some perfectly reasonable change to the root zone operational procedures, and there will be yet more totally stupid pressure to change root zone operations in order to ensure that someone's minister's brother isn't embarrassed. My employer has a customer support department, and I look at this plan and see my employer's money being flushed away for absolutely no discernible benefit to the gross Internet population. What is this supposed to solve? The dubious problems observed in the pingdom blogpost? It's not like we have no example of why this sort of one-way distribution with no co-ordination causes problems: AS112 has the same problem. There have been suggestions of altering what AS112 serves, and every time someone points out that it's hard because we don't know whether everyone participating in AS112 actually follows all the rules. For AS112, this seems to me like a perfectly acceptable answer. For the root zone, it does not. Best, A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
