[blibble]

> Not everything -should- be easy.

the entirety of .nz probably wouldn't agree with you when they had a 2 day outage due to a slight DNSSEC misconfiguration

[pas]

???

at best that means there's more need for practice, testing, better processes, and so on. it does not mean everything should be easy. (especially changes to a critical name authority.)

there's an argument that maybe .nz needs to spend more on this, delegate this, or accept a decreased security assurance, but that's definitely not true in general.

[blibble]

if you read the post-mortem they did everything by the book

they made a small mistake, and .nz was down for 2 days as a result

of course the 95% of people that have competent ISPs that don't verify DNSSEC records were completely unaffected

there's a reason ALL major tech companies refuse to deploy it for their zones

[pas]

> they made a small mistake

> and .nz was down for 2 days as a result

so it was not a small mistake

yes, the same thing happens when people start using technology that actually verifies what it reads/writes. ie. btrfs, ZFS, ECC, etc. and turns out disks fail, bits rots, etc. it was just unnoticed.

[tptacek]

Most, not all. Salesforce is a notable counterexample.