[135416] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon Jan 24 22:32:14 2011
In-Reply-To: <66D828AA-16DB-43D4-A6D1-D40C137DCDAA@hopcount.ca>
Date: Mon, 24 Jan 2011 22:31:30 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: NANOG Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley@hopcount.ca> wrote:
>
> On 2011-01-24, at 20:24, Danny McPherson wrote:
>
>> <separate subject>
>> Beginning to wonder why, with work like DANE and certificates in DNS
>> in the IETF, we need an RPKI =A0and new hierarchical shared dependency
>> system at all and can't just place ROAs in in-addr.arpa zone files that =
are
>> DNSSEC-enabled.
<snip>
> But what about this case?
>
> =A0RIR allocates 10.0.0.0/8 to A
> =A0A allocates 10.0.0.0/16 to B
> =A0B allocates 10.0.0.0/24 to C
>
> In this case the DNS delegations go directly from RIR to C; there's no op=
portunity for A or B to sign intermediate zones, and
> hence no opportunity for them to indicate the legitimacy of the allocatio=
n.
it's not the best example, but I know that at UUNET there were plenty
of examples of the in-addr tree not really following the BGP path.
-chris
