[dnsext] Historical root keys: The Large Router Vendor Speaks

From: "John Bashinski" <jbash@cisco.com>

Well, this has generated some interesting messages, and apparently
some people think that the "large router vendor" in question should
speak for itself.



5. Some of the people installing these products (frankly including some
of the professional network gear) will have no clue what DNSSEC is
or what cryptography is.

6. In the case of the consumer gear, the cost to us of helping the
customer deal with any DNSSEC failure will be greater than the entire profit
we make on the device.

7. Even for professional gear, customers don't want to pay their staff
to mess with this, and we don't want to pay our staff to support

8. Lots of our products get drop-shipped to people's field offices,
get plugged in by a wire-plugger-inner who basically just checks
that the lights are on and goes on to the next task, and then
have to fend for themselves, at least enough to be able to talk
to the NOC and await further instructions.

Implication B: As much as it possibly can, anything we do must work
without human intervention, and especially without very skilled
intervention. We know there will be problems, but we MUST minimize
them and minimize the amount of "touch" required to fix them.

Implication C: Social engineering is almost always a bigger risk than
cryptographic failure, especially at the device end of the
communication chain.

That block of (correct) observations, coupled with later ones which I've
elided for space, suggests to me the following observation:

  There is a limit to the maximum practical security and trust which
  can be engineered into the Internet at Large, absent some investment by
  specific users/network operators who require more.

That observation shouldn't apply to the people who actually have
a reason to be on this list -- backbone operators and professional
DNS zone server operators *should* make that investment, as a contribution
to the Public Good...

but you can't necessarily expect it at the edge.

My experience, and the integration of all the things I've learned in
doing this for 25 years, is that complexity reaches a tipping point;
there's only so much of it you can allow and still have a stable
system -- and the complexity "attack surface" is at least proportional
to the size of the system itself; something the size of The Entire
Internet has even more stringent limits in that regard than, say,
an enterprise LAN/WAN.

So while I applaud Cisco's (or, more properly, John's) evaluation of
the situation, and statement of goals -- and I agree with nearly
everything he says -- my personal opinion is that there's a practical
limit as to how close to the edge you can push the event horizon
without the whole thing falling over... and I don't think that
number's 100%.

-- jra