----- Original Message -----
From: "John Bashinski" <jbash@cisco.com>
Well, this has generated some interesting messages, and apparently some people think that the "large router vendor" in question should speak for itself.
Yay!
Realities ========= 5. Some of the people installing these products (frankly including some of the professional network gear) will have no clue what DNSSEC is or what cryptography is.
6. In the case of the consumer gear, the cost to us of helping the customer deal with any DNSSEC failure will be greater than the entire profit we make on the device.
7. Even for professional gear, customers don't want to pay their staff to mess with this, and we don't want to pay our staff to support them.
8. Lots of our products get drop-shipped to people's field offices, get plugged in by a wire-plugger-inner who basically just checks that the lights are on and goes on to the next task, and then have to fend for themselves, at least enough to be able to talk to the NOC and await further instructions.
Implication B: As much as it possibly can, anything we do must work without human intervention, and especially without very skilled intervention. We know there will be problems, but we MUST minimize them and minimize the amount of "touch" required to fix them.
Implication C: Social engineering is almost always a bigger risk than cryptographic failure, especially at the device end of the communication chain.
That block of (correct) observations, coupled with later ones which I've elided for space, suggests to me the following observation: There is a limit to the maximum practical security and trust which can be engineered into the Internet at Large, absent some investment by specific users/network operators who require more. That observation shouldn't apply to the people who actually have a reason to be on this list -- backbone operators and professional DNS zone server operators *should* make that investment, as a contribution to the Public Good... but you can't necessarily expect it at the edge. My experience, and the integration of all the things I've learned in doing this for 25 years, is that complexity reaches a tipping point; there's only so much of it you can allow and still have a stable system -- and the complexity "attack surface" is at least proportional to the size of the system itself; something the size of The Entire Internet has even more stringent limits in that regard than, say, an enterprise LAN/WAN. So while I applaud Cisco's (or, more properly, John's) evaluation of the situation, and statement of goals -- and I agree with nearly everything he says -- my personal opinion is that there's a practical limit as to how close to the edge you can push the event horizon without the whole thing falling over... and I don't think that number's 100%. Cheers, -- jra