rpki vs. secure dns?

Brandon Butterworth brandon at rd.bbc.co.uk
Sun Apr 29 11:21:23 CDT 2012

> Thus, removing a certificate or ROA *does NOT* result in an RPKI INVALID
> route announcement; the result is RPKI UNKNOWN.

Which is fine until UNKNOWNs are no longer permitted, a logical next
step. It may not apply globally, initially perhaps just a US anti
terrorist measure requiring all networks in the USA do it.

> The only way a court order could make a route announcement get the
> RPKI status *INVALID* would be to:
> 1: Remove the original, legitimate ROA
> 2: Tamper with the Registry, inject a false ROA authorizing another
> AS to make the announcement look like a hijack

Domains already get FBI hijacked so this seems plausible too.

> All in all, for an RPKI-specific court order to be effective in
> taking a network offline, the RIR would have to tamper with the
> registry, inject false data and try to make sure it's not detected so
> nobody applies a local override.

Doesn't need to be undetected, more likely it'll be quite overt
and have a big don't mess FBI entry in the RIR similar to


More information about the NANOG mailing list