rpki vs. secure dns?

Phil Regnauld regnauld at nsrc.org
Sat Apr 28 14:28:43 CDT 2012


Rubens Kuhl (rubensk) writes:
> > In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:
> >
> > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
> 
> The same currently happens with DNSSEC, doing what Comcast calls
> "negative trust anchors":
> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01

	Yes, NTAs was the comparison that came to my mind as well. Or even
	in classic DNS, overriding with stubs. You will get bitten by a bogus/
	flawed ROA, but you'll have to the chance to mitigate it. Any kind of
	centralized mechanism like this is subject to these risks, no matter
	what the distribution mechanism is.



More information about the NANOG mailing list