[arin-announce] ARIN Resource Certification Update

Danny McPherson danny at tcb.net
Tue Jan 25 02:24:06 UTC 2011


On Jan 24, 2011, at 9:14 PM, Randy Bush wrote:
> 
> you want certificates etc?  or did you plan to reuse dns keys?

I suspect the former, reusing much of the SIDR machinery 
perhaps, although....

> if the former, than all you are discussing is changing the transport to
> make routing security rely on dns and dns security.  not a really great
> plan.

Right, I've heard the circular dependency arguments.  So, are
you suggesting the RPKI isn't going to rely on DNS at all?

I'm of the belief RPKI should NOT be on the critical path, but instead 
focus on Internet number resource certification - are you suggesting 
otherwise?

> if the latter, then you have the problem that the dns trust model is not
> congruent with the routing and address trust model.

That could be easily fixed with trivial tweaks and transitive trust/
delegation graphs that are, I suspect.

-danny




More information about the NANOG mailing list