On Sat, Jul 30, 2022 at 1:24 PM, Edward Lewis <[email protected]> wrote:
> On 7/29/22, 10:49 AM, "DNSOP on behalf of Paul Wouters" <dnsop-bounces@ > ietf.org on behalf of [email protected]> wrote: > > I would have expected (and have taught) that this was by design to not > disrupt systems with new data unless we knew they were ready for it. I > didn’t realize we first tried to do it without that [image: 😀] > > This response made me think a bit - besides the early DNSSEC issue, there > have been other times when we-collectively did something that should have > been a no-brainer but were surprised. After the root zone KSK rollover, > during the period where the old key appeared as revoked, there was a > concerning rise of queries. Once the revoking record was pulled, the > queries abated [lessened]. Note: I made sure my memory of this coincided > with Wes H and Duane W. As the situation passed, I don't recall any > published study definitively diagnosing the cause although some work may > have led to a likely culprit. I'll put a plug here for this paper: https:/ > /www.isi.edu/~hardaker/papers/2019-10-ksk-roll.pdf. > > I don't think is possible to achieve the point where any change can be > made avoiding unpredicted repercussions [responses]. The operational state > of the system has grown much too complex. > Yup - I believe that we passed the complexity event horizon for DNS quite a few years ago... Obscure code paths, old versions still running, other home-crafted code all > contributes to the randomness. We can only hope to contain operational > impacts and have good roll back plans in place. > Indeed. Anyone who claims that they fully understand how DNS works and can accurately predict the behavior of anything non-standard is either lying, or not a DNS "expert". Of course, it's almost always trivial to "predict after the fact" that you actually knew that that is what would happen. W > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
