[ksk-rollover] RFC 5011 will not be implemented in Dnsmasq

Lars-Johan Liman liman at netnod.se
Tue Jan 8 14:41:56 UTC 2019

Am 07.01.19 um 19:18 schrieb Matthew Pounsett:
>> That is a broken business model which, if they are doing DNSSEC
>> validation, will result in broken routers (on top of the security
>> vulnerabilities they open their customers to).  I suspect that's
>> going to affect their bottom line.

> I agree with the broken business model. That business model outbrakes
> DNSSEC. Sale-and-forget vendors tend to ignore DNSSEC. Even the
> expensive AVM Fritz!Boxes don't do DNSSEC validation.

Unforutnately the business model isn't broken at all - if you see it as
exactly that: a BUSINESS model. The box stops working, it gets tossed.
The user buys a new one that works.

Instead of having to handle expensive software updates, the vendor gets
increased sales. What is there not to like? (From the vendor's
standpoint, that is). Users have come to accept this as normal. I just
tossed 5-8 perfectly working old pieces of CPE-like equipment in the
city dump this weekend. I know they will never be safe. There is nothing
I can do.

My car inspector's words (regarding cars, but they are equally valid
here) ring in my ears: "In the old days, they built cars to be as good
as they were able to, now they build them as bad as they dare."
(Slightly lacking translation, but you get it ...)

# Lars-Johan Liman, M.Sc.               !  E-mail: liman at netnod.se
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/

More information about the ksk-rollover mailing list