Re: [dnsext] Historical root keys: The Large Router Vendor Speaks

[Jay Ashworth <jra () baylink com>]

----- Original Message -----
> From: "John Bashinski" <jbash () cisco com>

> Well, this has generated some interesting messages, and apparently
> some people think that the "large router vendor" in question should
> speak for itself.

Yay!

> Realities
> =========
> 5. Some of the people installing these products (frankly including some
> of the professional network gear) will have no clue what DNSSEC is
> or what cryptography is.
>
> 6. In the case of the consumer gear, the cost to us of helping the
> customer deal with any DNSSEC failure will be greater than the entire profit
> we make on the device.
>
> 7. Even for professional gear, customers don't want to pay their staff
> to mess with this, and we don't want to pay our staff to support
> them.
>
> 8. Lots of our products get drop-shipped to people's field offices,
> get plugged in by a wire-plugger-inner who basically just checks
> that the lights are on and goes on to the next task, and then
> have to fend for themselves, at least enough to be able to talk
> to the NOC and await further instructions.
>
> Implication B: As much as it possibly can, anything we do must work
> without human intervention, and especially without very skilled
> intervention. We know there will be problems, but we MUST minimize
> them and minimize the amount of "touch" required to fix them.
>
> Implication C: Social engineering is almost always a bigger risk than
> cryptographic failure, especially at the device end of the
> communication chain.

That block of (correct) observations, coupled with later ones which I've
elided for space, suggests to me the following observation:

  There is a limit to the maximum practical security and trust which 
  can be engineered into the Internet at Large, absent some investment by
  specific users/network operators who require more.

That observation shouldn't apply to the people who actually have
a reason to be on this list -- backbone operators and professional
DNS zone server operators *should* make that investment, as a contribution
to the Public Good...

but you can't necessarily expect it at the edge.

My experience, and the integration of all the things I've learned in 
doing this for 25 years, is that complexity reaches a tipping point; 
there's only so much of it you can allow and still have a stable 
system -- and the complexity "attack surface" is at least proportional
to the size of the system itself; something the size of The Entire 
Internet has even more stringent limits in that regard than, say,
an enterprise LAN/WAN.

So while I applaud Cisco's (or, more properly, John's) evaluation of
the situation, and statement of goals -- and I agree with nearly 
everything he says -- my personal opinion is that there's a practical
limit as to how close to the edge you can push the event horizon
without the whole thing falling over... and I don't think that 
number's 100%.

Cheers,
-- jra