----- Original Message ----- > From: "Dan York" <y...@isoc.org> > To: "Mark Andrews" <ma...@isc.org> > Cc: "Evan Hunt" <e...@isc.org>, "Bob Harold" <rharo...@umich.edu>, "dnsop" > <dnsop@ietf.org>, "Mikael Abrahamsson" > <swm...@swm.pp.se> > Sent: Wednesday, 16 November, 2016 23:28:18 > Subject: Re: [DNSOP] DNSSEC operational issues long term > > On Nov 17, 2016, at 6:46 AM, Mark Andrews < [ mailto:ma...@isc.org | > ma...@isc.org ] > wrote: > > Is it that hard to add a sim or sd card reader? This is the solution > the cable industry uses for its crypto issues but with bigger form > factor cards. > > ... the home CPE market is extremely LOW-margin right now. Service providers > and > regular home users are looking for the cheapest options out there. Adding in a > card reader adds cost and complexity - and a potential tech support issue - > and > the reality is that I suspect the *vast* majority of users will not ever run > into this issue. Most users will buy the box and connect it to their network > and have the trust anchors just work. > > Given the low margin, my suspicion is that most CPE manufacturers would NOT > want > to add in any additional components to solve what for them would be an edge > case in terms of volume.
This is the main problem. Most CPE manufacturers don't give a damn about their devices when they are able to sell them successfully to unsuspecting people. So I would suspect that if you bought a low-end device supporting DNSSEC early next year and let it collect a dust for a single year, there's a high chance it won't work either, because there would be no way how to update neither the firmware nor the trust anchors. And even with the usual 2 year warranty most people would not just bother to return faulty device to the seller, because $20 is not worth it. And that's exactly the reason why those vendors are able to do it. Most people just don't care... And I am not convinced that we should design protocols to cater the device vendor irresponsible behavior toward their products. Cheers, -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.cz https://nic.cz/ -------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop