rpki vs. secure dns?

Alex Band alexb at ripe.net
Sat Apr 28 18:14:27 UTC 2012


On 28 Apr 2012, at 19:45, Nick Hilliard wrote:

> On 28/04/2012 18:27, Phil Regnauld wrote:
>> 	To me that seems like the most obvious problem, but as Alex put it,
>> 	"Everyone has the ability to apply an override on data they do not trust,
>> 	or have a specific local policy for."
> 
> So what do you suggest to do with a roa lookup which returns "Invalid"?

In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:

https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf

-Alex



More information about the NANOG mailing list