[arin-announce] ARIN Resource Certification Update

Osterweil, Eric eosterweil at verisign.com
Thu Jan 27 19:51:11 CST 2011

Sorry to be Johnny-come-lately to this...

On 1/24/11 6:31 PM, "Randy Bush" <randy at psg.com> wrote:

>> Right, I've heard the circular dependency arguments.  So, are you
>> suggesting the RPKI isn't going to rely on DNS at all?
> correct.  it need not.

Maybe I am misunderstand something here...  Are (for example) the rsync
processes going to use hard coded IPs?  Are the SIAs and AIAs referenced by

>> I'm of the belief RPKI should NOT be on the critical path, but instead
>> focus on Internet number resource certification - are you suggesting
>> otherwise?
> <channeling steve kent>
> see the word 'certification'?  guess where that leads.  pki.  add
> resources and stir.

Sounds like a loose definition of pki.  Does DNSSEC count as such a loosely
defined pki? :-P

>>> if the latter, then you have the problem that the dns trust model is
>>> not congruent with the routing and address trust model.
>> That could be easily fixed with trivial tweaks and transitive trust/
>> delegation graphs that are, I suspect.
> not bloody likely.  the folk who sign dns zones are not even in the same
> building as the folk who deal with address space.  in large isps, not
> even in the same town.

Why does this stop the whole thing short?  I think the people who run any
as-yet-to-be-developed-and-deployed system don't sit in any building at
all... Yet, right? :)

Tbqh, I think I might be missing something important (so, please forgive my
ignorance), but I don't see how (for example) admins of the SMTP
infrastructure have trouble getting their MX records right in DNS zones...
How are getting certs in there so much worse?


More information about the NANOG mailing list