[arin-announce] ARIN Resource Certification Update

[smb at cs.columbia.edu (Steven Bellovin)]

On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:

> On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley at hopcount.ca> wrote:
>> 
>> On 2011-01-24, at 20:24, Danny McPherson wrote:
>> 
>>> <separate subject>
>>> Beginning to wonder why, with work like DANE and certificates in DNS
>>> in the IETF, we need an RPKI  and new hierarchical shared dependency
>>> system at all and can't just place ROAs in in-addr.arpa zone files that are
>>> DNSSEC-enabled.
> <snip>
>> But what about this case?
>> 
>>  RIR allocates 10.0.0.0/8 to A
>>  A allocates 10.0.0.0/16 to B
>>  B allocates 10.0.0.0/24 to C
>> 
>> In this case the DNS delegations go directly from RIR to C; there's no opportunity for A or B to sign intermediate zones, and
>> hence no opportunity for them to indicate the legitimacy of the allocation.
> 
> it's not the best example, but I know that at UUNET there were plenty
> of examples of the in-addr tree not really following the BGP path.
> 
The other essential point is that routers don't do RPKI queries in
real-time; rather, they have a copy of the entire RPKI database, which
they update as needed.  In other words, the operational model doesn't
fit the way the DNS works.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb