[152428] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Phil Regnauld)
Sat Apr 28 15:29:18 2012
Date: Sat, 28 Apr 2012 21:28:43 +0200
From: Phil Regnauld <regnauld@nsrc.org>
To: Rubens Kuhl <rubensk@gmail.com>
In-Reply-To: <CAGFn2k3J1M=8CLZuRZJDSPkoerPXVRW2tdbpj923hQHNaKWtiA@mail.gmail.com>
Cc: Nanog <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Rubens Kuhl (rubensk) writes:
> > In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:
> >
> > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
>
> The same currently happens with DNSSEC, doing what Comcast calls
> "negative trust anchors":
> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
Yes, NTAs was the comparison that came to my mind as well. Or even
in classic DNS, overriding with stubs. You will get bitten by a bogus/
flawed ROA, but you'll have to the chance to mitigate it. Any kind of
centralized mechanism like this is subject to these risks, no matter
what the distribution mechanism is.
