AS8584 taking over the internet
Sean M. Doran
smd at clock.org
Thu Apr 9 23:36:19 UTC 1998
Scott, the DNS is in this use simply a distributed database,
that with DNSSEC seems reasonably secure.
The heirarchy in the DNS-protocol-using distributed database used for
IP address to origin AS mapping need not branch off the DNS-protocol-
using distributed database used for domain name->address mapping and
the like, which we normally just call the DNS.
Remember moreover that what one is doing is simply grabbing entries
from a distributed database which can be used to synthesize a
table which would be consulted by BGP border routers in determining
whether to accept or reject a route.
One could conceivably have a single zone which could be snarfed
from well known places using the latest in authenticated
file transfers. However, decentralization of work already
happens in the transfer of IP address blocks from regional
registries to local registries to more local registries still,
and it seems to make sense to simultaneously distribute the work
of maintaining the address-block-to-originating-AS map as well.
Therefore, what one wants is a "root" which one can find at
well known places and can retreive using the latest in authenticated
file transfers, and which allows one to follow an authenticated
tree of delegated zones in building a local table of mappings.
Whether this "root" is really a parallel "." or something else
seems academic; one will require the same mechanism to retrieve
a cryptographically-authenticated copy of the "root" from well
known sources that can prove, cryptographically, who they are.
The solution proposed is incomplete, certainly, but not because
of possible political instabilities in what we call the DNS.
I am not sure why you raise the issue of trusting IP registries
to delegate authority for any given subzone along with the
addresses themselves. This doesn't seem to make sense.
Perhaps you could explain this concern a little more concretely?
More information about the NANOG