[aussiedude]

- Responsible for .nz tld are staffed by 4 technical employees doing 24x7 on call support

- Engagement surveys captured staff feeling fatigued and under resources at entire org level

- Hard to hire for roles due to specialisation

- Team moving away from BAU work to projects

- Issues raised by external partner but team had other immediate work pressures

- Had to contact ex-employee that use to worked there to help resolve

- Once a year critical take just done by one team member

- Many IT operations tasks have sufficient external dependencies that it is impossible to tell – for certain that the task will be successful in production without doing the task in the production environment. - We've all been there.

Sounds like InternetNZ should actually outsource all of this to an external party and just focus on governance work.

[tgv]

> - Engagement surveys captured staff feeling fatigued and under resources at entire org level

This smells like an organizational failure. First, the survey doesn't tell if the tech staff suffered fatigue, because it was organization-wide. Second, the Executive Leadership Team has 5 people. Just the executive leadership. The Council itself has 9 members. I shudder to think how many (indirect) managers the 4 tech staff has to report to. Third, if there is a problem in your organization, you won't find it with a bloody survey. Those just exist to satisfy KPIs. Fourth, if there is a problem in a small team, that is fairly easy to locate. but if their manager doesn't know, or can't change it, something is wrong in the organization. Fifth, if there is a problem in a critical team, the organization as a whole has failed.

This won't be solved by outsourcing. If anything, placing critical employees at a distance creates more problems than it solves.

[martinald]

Agreed. Over the past few years I've encountered more and more organisations with a ratio of management:developer/designer of >1, ie for every developer or designer, there is more than 1 "manager" (PM, EM, etc) involved. These organisations tend to have appalling velocity and very low developer morale.

Conversely some of the most efficient organisations I've seen have virtually no "management". Usually a lead developer who still works on the product managing tickets, taking requirements from a CEO or similar. These teams can deliver a mind boggling amount of work in comparison.

[cyrnel]

Good summary! Not sure about that conclusion. I don't imagine there are roving bands of these specialized DNS network architects to whom you can magically outsource the operations.

The whole thing just strikes me as the continued under-valuing of this kind of maintenance work. It's not glamorous, you often work for a government/non-profit that pays less, on-call is brutal, and the chronic short-staffing is a pain multiplier. Not exactly the best foundation for an entire country's internet infrastructure to sit atop.

[aussiedude]

But DNSSEC in root zones isn't unique to .nz.

.au, .us, .com, .net, .gov, .io, etc all have the same challenges.

[mcesch]

Outsourcing isn't a panacea. `.au` is outsourced to Identity Digital (formerly Afilias) and they managed to flub their configuration recently too[1].

1. https://www.auda.org.au/statement/au-domain-name-system-upda...

[alfons_foobar]

TLDs, not root zones ;)

The root zone is atop the DNS hierarchy and is usually denoted by a single dot, it contains all the top-level-domains.

[throw0101c]

.ca as well:

> This DNSSEC Practice Statement (“DPS”) is a statement of security practices and provisions made by the Canadian Internet Registration Authority (CIRA). These practices and provisions are applied in conjunction with DNS Security Extensions (DNSSEC) in the Canadian country-code Top Level Domain (ccTLD), .CA.

> This DPS conforms to the template included in RFC 6841 . The approach described here is modelled closely on the corresponding procedures published in a corresponding DNSSEC Policy and Practice Statement published by .SE (The Internet Infrastructure Foundation) for the Swedish top-level domain, whose pioneering work in DNSSEC deployment is acknowledged.

* https://www.cira.ca/en/resources/documents/domains/cira-dnss...

    To provide a means for stakeholders to evaluate the strength and
    security of the DNSSEC chain of trust, an entity operating a DNSSEC-
    enabled zone may publish a DNSSEC Practice Statement (DPS),
    comprising statements describing critical security controls and
    procedures relevant for scrutinizing the trustworthiness of the
    system.  The DPS may also identify any of the DNSSEC Policies (DPs)
    it supports, explaining how it meets their requirements.

* https://datatracker.ietf.org/doc/html/rfc6841

[1vuio0pswjnm7]

Only needing to hire a minimum number of employees to run it, the "TLD business" must be quite profitable.

[themoonisachees]

Actually margins are razor thin. Most of the hard part is compliance, and you're paying out huge sums for audits.