rpki vs. secure dns?

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Apr 29 11:37:59 CDT 2012


On Sun, Apr 29, 2012 at 11:28:58AM -0400,
 Jennifer Rexford <jrex at CS.Princeton.EDU> wrote 
 a message of 37 lines which said:

> How does this interact with the presence of certificates for
> supernets, though?  That is, suppose an ISP creates a legitimate ROA
> for 12.0.0.0/8, after ensuring that all of its customers have
> legitimate ROAs for the various subnets of 12.0.0.0/8.  Now, suppose
> one of these customers has its legitimate ROA revoked by a court
> order.  Would the legitimate announcement of that subnet (originated
> by the customer's ASN) still result in UNKNOWN status, or would it
> look like a sub-prefix hijack because the announcement has a
> different ASN than the matching 12.0.0.0/8 prefix?

The second (and therefore Alex Band's example is not good). But it
depends on the value of the MaxLength attribute in the 12.0.0.0/8 ROA
(section 3.3 of RFC 6482).

If, in the future, RIRs or operators create ROAs for all the blocks
they manage, revocation of a ROA will be deadly.



More information about the NANOG mailing list