[135691] in North American Network Operators' Group
Re: [arin-announce] ARIN Resource Certification Update
daemon@ATHENA.MIT.EDU (Osterweil, Eric)
Thu Jan 27 20:52:07 2011
Date: Thu, 27 Jan 2011 18:51:11 -0700
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <C96766D5.4C70%eosterweil@verisign.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sorry to be Johnny-come-lately to this...
On 1/24/11 6:31 PM, "Randy Bush" <randy@psg.com> wrote:
>> Right, I've heard the circular dependency arguments. So, are you
>> suggesting the RPKI isn't going to rely on DNS at all?
>
> correct. it need not.
Maybe I am misunderstand something here... Are (for example) the rsync
processes going to use hard coded IPs? Are the SIAs and AIAs referenced by
IP?
>
>> I'm of the belief RPKI should NOT be on the critical path, but instead
>> focus on Internet number resource certification - are you suggesting
>> otherwise?
>
> <channeling steve kent>
> see the word 'certification'? guess where that leads. pki. add
> resources and stir.
Sounds like a loose definition of pki. Does DNSSEC count as such a loosely
defined pki? :-P
>
>>> if the latter, then you have the problem that the dns trust model is
>>> not congruent with the routing and address trust model.
>> That could be easily fixed with trivial tweaks and transitive trust/
>> delegation graphs that are, I suspect.
>
> not bloody likely. the folk who sign dns zones are not even in the same
> building as the folk who deal with address space. in large isps, not
> even in the same town.
Why does this stop the whole thing short? I think the people who run any
as-yet-to-be-developed-and-deployed system don't sit in any building at
all... Yet, right? :)
Tbqh, I think I might be missing something important (so, please forgive my
ignorance), but I don't see how (for example) admins of the SMTP
infrastructure have trouble getting their MX records right in DNS zones...
How are getting certs in there so much worse?
Eric
