Re: [arin-announce] ARIN Resource Certification Update

[Joe Abley <jabley () hopcount ca>]

On 2011-01-24, at 20:24, Danny McPherson wrote:

> <separate subject> 
> Beginning to wonder why, with work like DANE and certificates in DNS
> in the IETF, we need an RPKI  and new hierarchical shared dependency 
> system at all and can't just place ROAs in in-addr.arpa zone files that are 
> DNSSEC-enabled. 

In the case where (say)

 RIR allocates 10.0.0.0/8 to A
 A allocates 10.1.0.0/16 to B
 B allocates 10.1.1.0/24 to C

there's a clear path of delegations in the DNS under IN-ADDR.ARPA from RIR -> A -> B -> C and this matches the chain of 
address assignments. If you adopt the convention that a secure delegation (a signed DS RRSet) is analogous to an RPKI 
signature over a customer certificate, then this seems vaguely usable. 

But what about this case?

 RIR allocates 10.0.0.0/8 to A
 A allocates 10.0.0.0/16 to B
 B allocates 10.0.0.0/24 to C

In this case the DNS delegations go directly from RIR to C; there's no opportunity for A or B to sign intermediate 
zones, and hence no opportunity for them to indicate the legitimacy of the allocation.

As a thought experiment, how would you see this working?


Joe