On Fri, Oct 31, 2014 at 10:26 AM, Paul Ebersman <[email protected]> wrote: > > srose> Should there be text describing auto-adding of NTA's based on > srose> important domains (for the ISP/resolver's definition of > srose> important)? So that domains that are used by low level services > srose> don't fail that also aren't normally visible to end users? One > srose> example is nist.gov. When nist.gov messed up and went DNSSEC > srose> BOGUS, time.nist.gov was unreachable by validating resolvers. > > warren> Sorry, but to me this sounds like a bad idea -- you should find > warren> out that you "not normally visible to end users" failures are > warren> happening because your network monitoring system goes "Beep Beep > warren> Beep" when low level important services die. The NOC then goes > warren> off and investigates and discovers that e.g the NTP monitor it > warren> sad because time.nist.gov is unresolvable. > > warren> At this point there really needs to be a *human* in the loop to > warren> decide what to do, if the failure really *is* a DNSSEC failure > warren> and, more importantly, if installing an NTA is the right answer. > > I'd hope it would be good operational sense for folks to have automated > checks of critical things and checks of DNS logs for DNSSEC validation > failures and that we shouldn't have to spell that out. > > But do we want to at least have a mention of doing such kinds of checks > as a better way of noticing DNSSEC failures than pissed off customers or > puzzled NOC folks?
Nope -- because now you have the problem of where to draw the line. Do we also suggest the folk monitor error rates on WAN circuits? Failing RAID arrays? Excessive BIND memory usage? I think that would be document creep, creep! > > I do agree that we should not be inserting NTAs automatically for > anything. Yah. W > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
