[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[arin-announce] ARIN Resource Certification Update
- Subject: [arin-announce] ARIN Resource Certification Update
- From: eosterweil at verisign.com (Osterweil, Eric)
- Date: Thu, 27 Jan 2011 18:51:11 -0700
- In-reply-to: <C96766D5.4C70%[email protected]>
Sorry to be Johnny-come-lately to this...
On 1/24/11 6:31 PM, "Randy Bush" <randy at psg.com> wrote:
>> Right, I've heard the circular dependency arguments. So, are you
>> suggesting the RPKI isn't going to rely on DNS at all?
>
> correct. it need not.
Maybe I am misunderstand something here... Are (for example) the rsync
processes going to use hard coded IPs? Are the SIAs and AIAs referenced by
IP?
>
>> I'm of the belief RPKI should NOT be on the critical path, but instead
>> focus on Internet number resource certification - are you suggesting
>> otherwise?
>
> <channeling steve kent>
> see the word 'certification'? guess where that leads. pki. add
> resources and stir.
Sounds like a loose definition of pki. Does DNSSEC count as such a loosely
defined pki? :-P
>
>>> if the latter, then you have the problem that the dns trust model is
>>> not congruent with the routing and address trust model.
>> That could be easily fixed with trivial tweaks and transitive trust/
>> delegation graphs that are, I suspect.
>
> not bloody likely. the folk who sign dns zones are not even in the same
> building as the folk who deal with address space. in large isps, not
> even in the same town.
Why does this stop the whole thing short? I think the people who run any
as-yet-to-be-developed-and-deployed system don't sit in any building at
all... Yet, right? :)
Tbqh, I think I might be missing something important (so, please forgive my
ignorance), but I don't see how (for example) admins of the SMTP
infrastructure have trouble getting their MX records right in DNS zones...
How are getting certs in there so much worse?
Eric