Skip to main content

Why UX matters

· 4 min read
Ivan Barlog
Ivan Barlog
AWS Solutions Architect @ BeeSolve

I've just spend 30+ minutes setting up DS record in local webhosting provider. The reason? Lack of coffe or maybe bad UX. Or maybe both.

First of all what is DS record and why you need one. DS record is Delegation Signer type of DNS record which is crucial part of DNSSEC. Especially when your domain is hosted by one provider and other DNS records by AWS.

In my case I have purchased .sk domain through Websupport (as AWS does not sell those) but I am managing my DNS records in AWS. As I've been setting up DNSSEC on AWS side I needed to create DS record on Websupport's side.

I was really surprised when I get to the Websupport console and I needed to guess which algorithm to use. This is what I saw in the console:

DS record form

DS record form - algorithms

By default AWS will create signing key with strong ECDSA Curve P-256 with SHA-256 algorithm. But that was not what I could see at Websupport. So I started the usual round of chatting with the support and simultaneously asking chatGTP Duck.ai how are these algorithms I can see related to ECDSA which I need.

GTP-4o mini replied:

The ECDSA algorithm is related to DSA/SHA1 but specifically involves the use of elliptic curves for the Digital Signature Algorithm.

Here's a brief overview of the options you provided:

  • Diffie-Hellman: A key exchange algorithm, not directly related to digital signatures.
  • DSA/SHA1: The Digital Signature Algorithm (DSA) with SHA-1 hashing. ECDSA is an elliptic curve variant of DSA.
  • RSA/SHA1: RSA algorithm for encryption or signatures, combined with SHA-1. This is not ECDSA.
  • DSA-NSEC3-SHA1: This is a variant related to DNS security and also does not represent ECDSA.

In summary, while DSA/SHA1 is not ECDSA, it is the closest in that it serves a similar purpose in digital signatures but without the elliptic curve aspect.

Not very helpful but at the same time I was able to connect with WebSupport online support through chat. We've brainstormed - eg. I was explaining waht's wrong - two guys exchanged as this needed L2 support not L1 and at the same time I was reading the f**king manual...

So I've found this very helpful provider's page - DNSSEC activation.

To my surprise what I can see in the tutorial is that they have selected ECDSA algorithm - exactly what I needed but couldn't see in my WebSupport console. Emphasis on couldn't see. It doesn't meant it was not there, I just couldn't see it.

WebSupport tutorial shows ECDSA algorithm

Why? Look again at the second image. There are 4 algorithms there. Or are there?

Again, not sure if it was lack of coffee or really bad UX but the gist of it is that the select box is scrollable. You cannot see any indication of that fact eg. scrollbar but it is scrollable.

Frankly, I don't know why you need scrolling within the select box when you have 12 options but it is what it is. This is how it could've look like - not that bad at all and as well very expressive.

DS record form - no scrolling select box

But if for some reason you don't like it this way, you absolutelly need it to be scrollable and you for some reason hate to show your scrollbars before you start scrolling (great idea Apple) then I guess there are other options. Especially if you know that the select box has fixed height of 200px and each item within it has fixed height of 42px then be a gentleman and show us that there is potentially other items in the selectbox by showing half of it.

The math is easy, just add 21px (or even 20px) to that 200px fixed height (the rest is padding and margin for those who are missing 32px).

DS record form - opinionated better UX

For some reason (yes I know I need to get that coffee already) it wasn't even 21px nor 20px but 8px was sufficient.

tip

If you want to verify if your DNSSEC is set up correctly you can use Verisign's DNSSEC analyzer.

It seems that I've done it correctly.