[135410] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Danny McPherson)
Mon Jan 24 21:24:51 2011
From: Danny McPherson <danny@tcb.net>
In-Reply-To: <m2ipxdpw57.wl%randy@psg.com>
Date: Mon, 24 Jan 2011 21:24:06 -0500
To: "NANOG Operators' Group" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 24, 2011, at 9:14 PM, Randy Bush wrote:
>
> you want certificates etc? or did you plan to reuse dns keys?
I suspect the former, reusing much of the SIDR machinery
perhaps, although....
> if the former, than all you are discussing is changing the transport to
> make routing security rely on dns and dns security. not a really great
> plan.
Right, I've heard the circular dependency arguments. So, are
you suggesting the RPKI isn't going to rely on DNS at all?
I'm of the belief RPKI should NOT be on the critical path, but instead
focus on Internet number resource certification - are you suggesting
otherwise?
> if the latter, then you have the problem that the dns trust model is not
> congruent with the routing and address trust model.
That could be easily fixed with trivial tweaks and transitive trust/
delegation graphs that are, I suspect.
-danny
