[arin-announce] ARIN Resource Certification Update

• Previous message (by thread): [arin-announce] ARIN Resource Certification Update
• Next message (by thread): [arin-announce] ARIN Resource Certification Update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley at hopcount.ca> wrote:
>
> On 2011-01-24, at 20:24, Danny McPherson wrote:
>
>> <separate subject>
>> Beginning to wonder why, with work like DANE and certificates in DNS
>> in the IETF, we need an RPKI  and new hierarchical shared dependency
>> system at all and can't just place ROAs in in-addr.arpa zone files that are
>> DNSSEC-enabled.
<snip>
> But what about this case?
>
>  RIR allocates 10.0.0.0/8 to A
>  A allocates 10.0.0.0/16 to B
>  B allocates 10.0.0.0/24 to C
>
> In this case the DNS delegations go directly from RIR to C; there's no opportunity for A or B to sign intermediate zones, and
> hence no opportunity for them to indicate the legitimacy of the allocation.

it's not the best example, but I know that at UUNET there were plenty
of examples of the in-addr tree not really following the BGP path.

-chris

• Previous message (by thread): [arin-announce] ARIN Resource Certification Update
• Next message (by thread): [arin-announce] ARIN Resource Certification Update
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]