[135417] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Mon Jan 24 23:27:58 2011
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <AANLkTikr+Lsh=zFNnupt4_8bW6tQqveJsseE6zXAkt3c@mail.gmail.com>
Date: Mon, 24 Jan 2011 23:27:48 -0500
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: NANOG Operators' Group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:
> On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley@hopcount.ca> wrote:
>>=20
>> On 2011-01-24, at 20:24, Danny McPherson wrote:
>>=20
>>> <separate subject>
>>> Beginning to wonder why, with work like DANE and certificates in DNS
>>> in the IETF, we need an RPKI and new hierarchical shared dependency
>>> system at all and can't just place ROAs in in-addr.arpa zone files =
that are
>>> DNSSEC-enabled.
> <snip>
>> But what about this case?
>>=20
>> RIR allocates 10.0.0.0/8 to A
>> A allocates 10.0.0.0/16 to B
>> B allocates 10.0.0.0/24 to C
>>=20
>> In this case the DNS delegations go directly from RIR to C; there's =
no opportunity for A or B to sign intermediate zones, and
>> hence no opportunity for them to indicate the legitimacy of the =
allocation.
>=20
> it's not the best example, but I know that at UUNET there were plenty
> of examples of the in-addr tree not really following the BGP path.
>=20
The other essential point is that routers don't do RPKI queries in
real-time; rather, they have a copy of the entire RPKI database, which
they update as needed. In other words, the operational model doesn't
fit the way the DNS works.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
