[56303] in North American Network Operators' Group
Re: BGP to doom us all
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Sun Mar 2 13:43:17 2003
Date: Sun, 2 Mar 2003 18:42:34 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Vadim Antonov <avg@kotovnik.com>
Cc: Paul Vixie <vixie@vix.com>, <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0302282245200.30773-100000@gato.kotovnik.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 28 Feb 2003, Vadim Antonov wrote:
>
>
>
> Thank you very much, but no.
>
> DNS (and DNSSEC) relies on working IP transport for its operation.
Doesn't sBGP also have this problem? A catch-22 where you have to have
good routing to get good routing? Or did I miss something?
>
> Now you effectively propose to make routing (and so operation of IP
> transport) dependent on DNS(SEC).
>
> Am I the only one who sees the problem?
>
> --vadim
>
> PS. The only sane method for routing info validation I've seen so far is
> the plain old public-key crypto signatures.
>
>
> On 1 Mar 2003, Paul Vixie wrote:
> >
> > > It wouldn't be too hard for me to trust:
> > >
> > > 4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true."
> > > to check whether 4969 is allowed to originaate 10.200.254.0/24. ...
> >
> > at last, an application for dnssec!
>
>
