Re: [arin-announce] ARIN Resource Certification Update

[Steven Bellovin <smb () cs columbia edu>]

On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:

> On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley () hopcount ca> wrote:
> > On 2011-01-24, at 20:24, Danny McPherson wrote:
> >
> > > <separate subject>
> > > Beginning to wonder why, with work like DANE and certificates in DNS
> > > in the IETF, we need an RPKI  and new hierarchical shared dependency
> > > system at all and can't just place ROAs in in-addr.arpa zone files that are
> > > DNSSEC-enabled.
> <snip>
> > But what about this case?
> >
> >  RIR allocates 10.0.0.0/8 to A
> >  A allocates 10.0.0.0/16 to B
> >  B allocates 10.0.0.0/24 to C
> >
> > In this case the DNS delegations go directly from RIR to C; there's no opportunity for A or B to sign intermediate 
> > zones, and
> > hence no opportunity for them to indicate the legitimacy of the allocation.
>
> it's not the best example, but I know that at UUNET there were plenty
> of examples of the in-addr tree not really following the BGP path.
The other essential point is that routers don't do RPKI queries in
real-time; rather, they have a copy of the entire RPKI database, which
they update as needed.  In other words, the operational model doesn't
fit the way the DNS works.


                --Steve Bellovin, http://www.cs.columbia.edu/~smb