[fhqghds]

as someone who works on such things at a .gov, this has been in the works for years, and will likely remain in the works for years

the level of push back against it is absolutely epic.

the .gov I work on has even been considering moving most services off of .gov to another tld (such as .us) in order to avoid having to comply...

[KeepFlying]

What is the reasoning for the pushback? Can you talk about some of the reasons they give for that?

[fhqghds]

short answer: massive amounts of inertia

long answer: there are a lot of reasons...

one is that our network is obscenely open and used in weird ways.

public ips handed out to all the things via dhcp. dynamic hostnames (generated from the dhcp request) on a subdomain of our .gov for all the things. similarly static ips and top level dns records on our .gov are passed out like candy.

the border is heavily firewalled, and all networks are heavily sniffed and monitored, but everyone has a public ip with a .gov hostname. the network users consist of thousands of academics and scientists who use the network in fun an interesting ways, frequently without tls.

changing this culture is likely way more difficult than making config changes on bind and dhcpd

I've slowly learned to stop asking, and just try to keep my sobbing down during calls