rpki vs. secure dns?

Sat Apr 28 10:34:52 UTC 2012

On 28 Apr 2012, at 11:56, Florian Weimer wrote:

> * Paul Vixie:
> 
>> this seems late, compared to the various commitments made to rpki in
>> recent years. is anybody taking it seriously?
> 
> The idea as such isn't new, this has been floating around for four
> years or more, including at least one Internet draft,
> draft-donnerhacke-sidr-bgp-verification-dnssec.
> 
> I don't know if we can get RPKI to deployment because RIPE and RIPE
> NCC have rather serious issues with it.  On the other hand, there
> doesn't seem to be anything else which keeps RIRs relevant in the
> post-scarcity world, so we'll see what happens.

Could you elaborate on what those issues are? 

I can't speak for ROVER, but judging from Gersh's talk at RIPE64 and the discussion afterwards, it looks like it's just an old idea that was brought to the table again, with a few early adopters experimenting. 

In the linked article Gersh says that RPKI is complex and deployment has been slow. In reality, since the RIRs launched an RPKI production service on 1 Jan 2011, adoption has been incredibly good (for example compared to IPv6 and DNSSEC). More than 1500 ISPs and large organizations world-wide have opted-in to the system and requested a resource certificate using the hosted service, or running an open source package with their own CA. 

But it's not just that, these ISPs didn't just blindly get certificate and walk away. There are over 800 ROAs in the global system, describing more than 2000 prefixes ranging from /24s to /10s, totaling to almost 80 million IPv4 addresses worth of BGP announcements. Data quality is really good. All in all, RPKI has really good traction and with native router support in Cisco, Juniper and Quagga, this is only getting better. 

Global deployment statistics can be found here: http://certification-stats.ripe.net/