rpki vs. secure dns?

• Previous message (by thread): rpki vs. secure dns?
• Next message (by thread): rpki vs. secure dns?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Yes, recursive dependencies are an issue.  I'm really surprised that folks are even seriously considering something like this, but OTOH, this sort of thing keeps cropping up in various contexts from time to time, sigh.

There are only a couple of ways to get past recursive dependencies.

You could simply carry everything in one protocol. This really isn't
practical.

You could develop an overlay protocol that carries the additional
information, so that internal routing is all that's needed to get to the
information you need to build external routing. We already have this, to
some degree today, with IGP/BGP.

You could design a system where most service providers who are likely to
be an upstream would be able to hold the information to kick start a
peer or customer's external routing, so the peer or customer only needs
a default to the upstream to get what they need.

#2 is the most desirable overall, but #3 is what we're most likely to
wind up with in the real world, for various reasons. And I don't know
that #3 is a bad result. There are situations where it won't work
(mostly thinking high mobility environments, or complete system
failures), but these don't seem to be big "stoppers," to me....

But again, here is something that should be brought into the
requirements process in the IETF and discussed as fully as possible, and
then that discussion recorded in a requirements document. AFAIK, it's
never really been discussed seriously, with all the options, advantages,
and disadvantages, enumerated and considered.

Russ

-- 
<><
riwhite at verisign.com
russw at riw.us

• Previous message (by thread): rpki vs. secure dns?
• Next message (by thread): rpki vs. secure dns?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]