Re: rpki vs. secure dns?

[Florian Weimer <fw () deneb enyo de>]

* Alex Band:

> At RIPE 63, six months ago, the RIPE NCC membership got a chance to
> vote on RPKI at the general meeting. The result was that the RIPE
> NCC has the green light to continue offering the Resource
> Certification service, including all BGP Origin Validation related
> functionality.

But this was done outside the Policy Development Process, which is
supposed to handle such things.

> It's correct that concerns were raised in the area of
> security, resilience and operator autonomy, as you mention. These
> concerns are continuously being evaluated and addressed.

I don't think so.  Ultimately, it does not seem to be possible to get
this through the PDP.

The whole discussion is a bit odd: Even without RPKI, RIPE NCC already
has the power to directly influence global routing because it's
unreasonable to expect that the majority of their BGP peers employ
strict filtering.  So they could inject more specifics as they see
fit, and thus blackhole pretty arbitrary chunks of address space.
However, so can most folks who of those who control routers in the
DFZ, and RPKI (or something similar) would change that at least.