North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: data request on Sitefinder

  • From: Kee Hinckley
  • Date: Mon Oct 20 13:36:35 2003

At 10:59 AM -0400 10/20/03, Steve Bellovin wrote:
So -- how much notice would the operator community want before
deploying new software?  What about for enterprises?  (We all know that
stuff *can* be deployed more quickly in emergency circumstances.  We
also know the problems that that can lead to, which is why we generally
want testing and controlled deployment.)
I don't even want to start down that path. If we were talking normal software development and deployment schedules we'd be talking six months to a year from notice to the software company to deployment. But obviously that isn't going to happen. As a software developer I'd want at least 30-60 days to do development and testing. As a service provider thought, I'm pretty conservative about updating my servers. And of course this change probably wouldn't be back-patched into old versions, so that means I'm biting off all kinds of other changes that I need to test as well.

More importantly--Verisign needs to deploy alternate servers so it's actually possible to test software against the changes they propose to make. Otherwise we're just running around guessing what the behavior is going to be.

But fundamentally the problem is this. There is no way to handle root wildcards by various registries in a standard and reliable way. Verisign has not even been able to provide code for how to handle *their* wildcard in a reliable way. Each registry may implement different features with different behaviors. What works for one won't necessarily work for another. And every time any one of them changes, or a new registry is added, every single piece of software that relies on a particular behavior has to be checked and possibly patched. We can't afford to run the internet that way.



--
Kee Hinckley
http://www.messagefire.com/ Next Generation Spam Defense
http://commons.somewhere.com/buzz/ Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.