rpki vs. secure dns?

• Previous message (by thread): rpki vs. secure dns?
• Next message (by thread): rpki vs. secure dns?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rubens Kuhl (rubensk) writes:
> > In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:
> >
> > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
> 
> The same currently happens with DNSSEC, doing what Comcast calls
> "negative trust anchors":
> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01

	Yes, NTAs was the comparison that came to my mind as well. Or even
	in classic DNS, overriding with stubs. You will get bitten by a bogus/
	flawed ROA, but you'll have to the chance to mitigate it. Any kind of
	centralized mechanism like this is subject to these risks, no matter
	what the distribution mechanism is.

• Previous message (by thread): rpki vs. secure dns?
• Next message (by thread): rpki vs. secure dns?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]