rpki vs. secure dns?

Paul Vixie vixie at isc.org
Mon May 28 20:59:28 UTC 2012


more "threads from the crypt" as i catch up to 6000 missed nanog posts.

"Dobbins, Roland" <rdobbins at arbor.net> writes:

> On Apr 28, 2012, at 5:17 PM, Saku Ytti wrote:
>
>> People might scared to rely on DNS on accepting routes, but is this
>> really an issue?
>
> Yes, recursive dependencies are an issue.  I'm really surprised that
> folks are even seriously considering something like this, but OTOH, this
> sort of thing keeps cropping up in various contexts from time to time,
> sigh.

so, first, i think you mean circular dependencies not recursive dependencies.

second, i'd agree that that's probably bad engineering.

third, rsync's dependencies on routing (as in the RPKI+ROA case) are not
circular (which i think was david conrad's point but i'll drag it to here.)

my reason for not taking ROVER seriously is that route filter preparation
is an essentially offline activity -- you do it from a cron job not "live".
and to do this you have to know in advance what policy data is available
which may or may not have the same coverage as "the routes you will receive
between one cron job and the next".

we could in other words use DNS to store route policy data if we wanted to
use a recursive zone transfer of all policy zones, as a replacement for
rsync. (but why would we do this? we have rsync, which worked for IRR data
for many years.)

ROVER expects that we will query for policy at the instant of need. that's
nuts for a lot of reasons, one of which is its potentially and unmanageably
circular dependency on the acceptance of a route you don't know how to
accept or reject yet.

my take-away from this thread is: very few people take RPKI seriously, but
even fewer take ROVER seriously.

-- 
Paul Vixie
KI6YSY




More information about the NANOG mailing list