rpki vs. secure dns?
bortzmeyer at nic.fr
Sun Apr 29 11:37:59 CDT 2012
On Sun, Apr 29, 2012 at 11:28:58AM -0400,
Jennifer Rexford <jrex at CS.Princeton.EDU> wrote
a message of 37 lines which said:
> How does this interact with the presence of certificates for
> supernets, though? That is, suppose an ISP creates a legitimate ROA
> for 18.104.22.168/8, after ensuring that all of its customers have
> legitimate ROAs for the various subnets of 22.214.171.124/8. Now, suppose
> one of these customers has its legitimate ROA revoked by a court
> order. Would the legitimate announcement of that subnet (originated
> by the customer's ASN) still result in UNKNOWN status, or would it
> look like a sub-prefix hijack because the announcement has a
> different ASN than the matching 126.96.36.199/8 prefix?
The second (and therefore Alex Band's example is not good). But it
depends on the value of the MaxLength attribute in the 188.8.131.52/8 ROA
(section 3.3 of RFC 6482).
If, in the future, RIRs or operators create ROAs for all the blocks
they manage, revocation of a ROA will be deadly.
More information about the NANOG