[152426] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Alex Band)
Sat Apr 28 14:15:02 2012
From: Alex Band <alexb@ripe.net>
In-Reply-To: <4F9C2CBA.1010602@foobar.org>
Date: Sat, 28 Apr 2012 20:14:27 +0200
To: Nick Hilliard <nick@foobar.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 28 Apr 2012, at 19:45, Nick Hilliard wrote:
> On 28/04/2012 18:27, Phil Regnauld wrote:
>> To me that seems like the most obvious problem, but as Alex put =
it,
>> "Everyone has the ability to apply an override on data they do =
not trust,
>> or have a specific local policy for."
>=20
> So what do you suggest to do with a roa lookup which returns =
"Invalid"?
In case you feel a BGP announcement should not be "RPKI Invalid" but =
something else, you do what's described on slide 15-17:
https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
-Alex=
