nanog mailing list archives
Re: [arin-announce] ARIN Resource Certification Update
From: Steven Bellovin <smb () cs columbia edu>
Date: Mon, 24 Jan 2011 23:27:48 -0500
On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:
On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley () hopcount ca> wrote:On 2011-01-24, at 20:24, Danny McPherson wrote:<separate subject> Beginning to wonder why, with work like DANE and certificates in DNS in the IETF, we need an RPKI and new hierarchical shared dependency system at all and can't just place ROAs in in-addr.arpa zone files that are DNSSEC-enabled.<snip>But what about this case? RIR allocates 10.0.0.0/8 to A A allocates 10.0.0.0/16 to B B allocates 10.0.0.0/24 to C In this case the DNS delegations go directly from RIR to C; there's no opportunity for A or B to sign intermediate zones, and hence no opportunity for them to indicate the legitimacy of the allocation.it's not the best example, but I know that at UUNET there were plenty of examples of the in-addr tree not really following the BGP path.
The other essential point is that routers don't do RPKI queries in real-time; rather, they have a copy of the entire RPKI database, which they update as needed. In other words, the operational model doesn't fit the way the DNS works. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- Re: [arin-announce] ARIN Resource Certification Update, (continued)
- Re: [arin-announce] ARIN Resource Certification Update Randy Bush (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Roland Dobbins (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Randy Bush (Jan 24)
- Message not available
- Re: [arin-announce] ARIN Resource Certification Update Randy Bush (Jan 27)
- Re: [arin-announce] ARIN Resource Certification Update Roland Dobbins (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Joe Abley (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Danny McPherson (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Richard Barnes (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Danny McPherson (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Christopher Morrow (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Steven Bellovin (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Christopher Morrow (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Roland Dobbins (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Christopher Morrow (Jan 24)
- Re: [arin-announce] ARIN Resource Certification Update Joe Abley (Jan 25)
- Re: [arin-announce] ARIN Resource Certification Update Roland Dobbins (Jan 25)
- Re: [arin-announce] ARIN Resource Certification Update Charles N Wyble (Jan 25)
- Re: [arin-announce] ARIN Resource Certification Update John Curran (Jan 29)
- Re: [arin-announce] ARIN Resource Certification Update Arturo Servin (Jan 29)
- Re: [arin-announce] ARIN Resource Certification Update Owen DeLong (Jan 29)