> On Apr 21, 2021, at 8:00 PM, Bron Gondwana <brong@xxxxxxxxxxxxxxxx> wrote: > > That's you - you're an expert in this field. Most people aren't. And yet - as you mention, > you had a bug with automated re-signing failing and had to add monitoring. No, I did not have to add monitoring, the monitoring came first! If it isn't monitored, it is not a critical service. I never had an outage, just had to fix some long ago resolved bugs. > Also, I suspect that the content of your zone is managed by... you. The zone content is largely irrelevant for signing, DNSSEC signing just covers whatever is found in the zone. > Extrapolating from that to assume that everyone else in the world will have > the same experience... maybe the tooling has become heaps better than when > we looked in 2016, but the list of DNSSEC failures hasn't exactly trickled > to zero - cdc.gov in the year 2021 being a nice example case. The tool has gotten heaps better, but some folks haven't upgraded, and have poor operational discipline. They likely have many other failures that people just don't write about, because they're less popular punching bags than DNSSEC. It takes just a grain of competence and attention to detail, as with any production technology. What doesn't work is neglect, and that also goes for unsigned DNS, with parent NS records going stale, replication failing, ... I am suggesting that Google can easily do DNSSEC for google.com, they likely face non-trivial adoption barriers with global DNSSEC load-balancing, and other specialised tech. I am just saying the old excuses are tired out, we can and should move on. -- Viktor.
