nanog mailing list archives
Re: rpki vs. secure dns?
From: Phil Regnauld <regnauld () nsrc org>
Date: Sat, 28 Apr 2012 21:28:43 +0200
Rubens Kuhl (rubensk) writes:
In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17: https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdfThe same currently happens with DNSSEC, doing what Comcast calls "negative trust anchors": http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
Yes, NTAs was the comparison that came to my mind as well. Or even in classic DNS, overriding with stubs. You will get bitten by a bogus/ flawed ROA, but you'll have to the chance to mitigate it. Any kind of centralized mechanism like this is subject to these risks, no matter what the distribution mechanism is.
Current thread:
- Re: rpki vs. secure dns?, (continued)
- Re: rpki vs. secure dns? Randy Bush (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Florian Weimer (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Florian Weimer (Apr 28)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 28)
- Re: rpki vs. secure dns? Rubens Kuhl (Apr 28)
- Re: rpki vs. secure dns? Phil Regnauld (Apr 28)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Jennifer Rexford (Apr 29)
- Message not available
- Re: rpki vs. secure dns? Stephane Bortzmeyer (Apr 29)
- Re: rpki vs. secure dns? Matthias Waehlisch (Apr 29)
- Re: rpki vs. secure dns? David Conrad (Apr 29)
- Re: rpki vs. secure dns? Alex Band (Apr 29)
- Re: rpki vs. secure dns? Randy Bush (Apr 29)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)
- Re: rpki vs. secure dns? Florian Weimer (Apr 30)
- Re: rpki vs. secure dns? Nick Hilliard (Apr 29)