rpki vs. secure dns?

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Apr 29 11:37:59 CDT 2012

On Sun, Apr 29, 2012 at 11:28:58AM -0400,
 Jennifer Rexford <jrex at CS.Princeton.EDU> wrote 
 a message of 37 lines which said:

> How does this interact with the presence of certificates for
> supernets, though?  That is, suppose an ISP creates a legitimate ROA
> for, after ensuring that all of its customers have
> legitimate ROAs for the various subnets of  Now, suppose
> one of these customers has its legitimate ROA revoked by a court
> order.  Would the legitimate announcement of that subnet (originated
> by the customer's ASN) still result in UNKNOWN status, or would it
> look like a sub-prefix hijack because the announcement has a
> different ASN than the matching prefix?

The second (and therefore Alex Band's example is not good). But it
depends on the value of the MaxLength attribute in the ROA
(section 3.3 of RFC 6482).

If, in the future, RIRs or operators create ROAs for all the blocks
they manage, revocation of a ROA will be deadly.

More information about the NANOG mailing list