[153388] in North American Network Operators' Group
Re: rpki vs. secure dns?
daemon@ATHENA.MIT.EDU (Samuel Weiler)
Tue Jun 5 15:40:02 2012
Date: Tue, 5 Jun 2012 15:39:12 -0400 (EDT)
From: Samuel Weiler <weiler+lists.nanog@watson.org>
To: David Conrad <drc@virtualized.org>
In-Reply-To: <E26EA4F9-C339-42C7-A3E2-5E31D1830999@virtualized.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, 28 May 2012, David Conrad wrote:
> As far as I can tell, ROVER is simply Yet Another RPKI Access Method
> like rsync and bittorrent with its own positives and negatives.
Not quite. ROVER's SRO & RLOCK statements have different semantics
than RPKI ROAs, and there are semantics that may not be (practically)
expressible in ROVER.
ROVER's semantics depend on DNS zone structure. The protection
offered by the RLOCK statement stops when a zone cut is reached --
longer routes are allowed unless there's an RLOCK in every descendant
zone. Having DNS users care about zone structure is, to quote Rob
Austein, "not normal".
-- Sam Weiler
