Re: rpki vs. secure dns?

[Alex Band <alexb () ripe net>]

On 28 Apr 2012, at 14:57, Stephane Bortzmeyer wrote:

> On Sat, Apr 28, 2012 at 12:34:52PM +0200,
> Alex Band <alexb () ripe net> wrote 
> a message of 41 lines which said:
>
> > In reality, since the RIRs launched an RPKI production service on 1
> > Jan 2011, adoption has been incredibly good (for example compared to
> > IPv6 and DNSSEC). More than 1500 ISPs and large organizations
> > world-wide have opted-in to the system and requested a resource
> > certificate using the hosted service, or running an open source
> > package with their own CA. 
>
> I have an experience with the deployment of DNSSEC and the problem
> with DNSSEC was not to have signed zones (many are, now) but to have
> people *using* these signatures to check the data (i.e. validating in
> a resolver).
>
> RPKI has many ROA (signed objects) but how many operators validate
> routes on their production routers? Zero?

First you need a robust system and reliable data. Native router support is coming along. We could be getting to a stage 
where people will use the data in production. Time will tell...

> > But it's not just that, these ISPs didn't just blindly get
> > certificate and walk away.
>
> Most of the ROAs are very recent. Again, the experience with DNSSEC
> shows that starting is easy ("DNSSEC in siw minutes"). It's long term
> management which is *the* problem. Wait until people start to change
> the routing data and watch the ROAs becoming less and less correct...
>
> > Data quality is really good. 
>
> It's not what you said:
>
> "It is safe to say that overall data quality is pretty bad"
> <https://labs.ripe.net/Members/AlexBand/resource-certification-rpki-in-the-real-world> 
> (good paper, by the way, thanks)

A lot has changed since I wrote that. :)

-Alex

Attachment: smime.p7s
Description: