What Does No User Serviceable Parts Mean

I think we've all seen that text on consumer electronics before.  Information technology means that if yous crack open your TiVo or your Playstation, you lot shouldn't expect to discover a production designed for ease of maintenance or repair.

The IETF should accept slapped that sticker on DNSSEC, too.  The DNS Security Extensions, which provide authentication and integrity-checking of zone data, are disquisitional to securing DNS infrastructure.  But some implementations of DNSSEC seem to take been designed with the explicit goal of driving DNS administrators to drinkable.  With early BIND proper name servers, for instance, signing a zone for the first time was a 12-step procedure (by my reckoning), and nearly of those steps involved the command line.  (Even withcurrent Microsoft DNS Servers, the state of affairs is still much the aforementioned.)

Providing more than evidence that getting DNSSEC correct is tricky, Verisign yesterday patently muffed a key rollover for the .gov zone, rendering signed data in .gov unvalidatable.  That amounted to an inadvertent deprival of service, but luckily one that affected simply those organizations who care the most most .gov information.

But my point isn't that Verisign doesn't know DNSSEC–they do, better than well-nigh any other company.  My point is that even the pros can mess up, because DNSSEC is difficult.

Since the introduction of DNSSEC, ISC and Infoblox and others take invested resources to automate DNSSEC to the extent possible.  That automation is, in my stance, an absolute necessity when deploying DNSSEC.  You don't want to have to follow a multi-stride cookbook of dnscmd commands in lodge to curlicue over a key (yo, Microsoft!); you lot want to specify how often keys should be rolled over and receive a nice notification when the rollover completes.

I hope that if you're planning to deploy DNSSEC, you won't be discouraged by Verisign's little accident, just further convinced that an automatic solution is the way to go.

August 16, 2013

Chief DNS Architect at Infoblox

Cricket is one of the globe's leading experts on the Domain Name System (DNS), and serves as the liaison between Infoblox and the DNS community. Earlier joining Infoblox, he founded an Internet consulting and training company, Top Byte & Wire, after running the hp.com domain at Hewlett-Packard. Cricket is a prolific speaker and author, having written a number of books including "DNS and Demark," one of the almost widely used references in the field, at present in its fifth edition.

View All Posts

What Does No User Serviceable Parts Mean,

Source: https://blogs.infoblox.com/ipv6-coe/quot-no-user-serviceable-parts-inside-quot/#:~:text=August%2016%2C%202013,that%20sticker%20on%20DNSSEC%2C%20too.

Posted by: jaynesdiouse.blogspot.com

Share this post