On Tue, Mar 01, 2016 at 06:15:22PM -0500, John R Levine wrote:
> >>The NDR record is deliberately free format because changing DNS
> >>servers is HARD, no really it is ridiculously hard with a ten year
> >>lag. Which is of course why we won't use a new record at all:
> >
> >Really? We have rpm's of new versions of named supplied within
> >hours of ISC's public announcements of new named releases. I'm
> >sure there are similar announcements for other nameserver vendors.
>
> I suppose I could say web based configuration crudware a few dozen more
> times, but I doubt it would sink in any more than it has before.
I've seen organizations that don't upgrade/patch software if
they feel it can be mitigated with other technical means because
alterting them would require hypothetical testing that they won't do.
With the recent stream of security updates in the past 2-3 years
to bash, OpenSSL, etc.. they have started to change their stance. I
understand the goals of 'change one thing at a time' so it's easy to
know what introduced the breakage, but at some point people who fail
to upgrade will cease to work.
I was helping with a router today where the lack of a proper clock
meant it could not generate a SSH key because the crypto system
would not work. We are creating a more fragile ecosystem at times
for the sake of security, and things will break along the way.
I have my opinions about techical malpractice in this space and
have been guilty myself of it at times, but we can't let outdated
people hold back forward progress.
- Jared
--
Jared Mauch | pgp key available via finger from ja...@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
