rpki vs. secure dns?
Phil Regnauld
regnauld at nsrc.org
Sat Apr 28 19:28:43 UTC 2012
Rubens Kuhl (rubensk) writes:
> > In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:
> >
> > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
>
> The same currently happens with DNSSEC, doing what Comcast calls
> "negative trust anchors":
> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
Yes, NTAs was the comparison that came to my mind as well. Or even
in classic DNS, overriding with stubs. You will get bitten by a bogus/
flawed ROA, but you'll have to the chance to mitigate it. Any kind of
centralized mechanism like this is subject to these risks, no matter
what the distribution mechanism is.
More information about the NANOG
mailing list