rpki vs. secure dns?

Matthias Waehlisch waehlisch at ieee.org
Sun Apr 29 14:40:17 CDT 2012

On Sun, 29 Apr 2012, Stephane Bortzmeyer wrote:

> > How does this interact with the presence of certificates for 
> > supernets, though?  That is, suppose an ISP creates a legitimate ROA 
> > for, after ensuring that all of its customers have 
> > legitimate ROAs for the various subnets of  Now, suppose 
> > one of these customers has its legitimate ROA revoked by a court 
> > order.  Would the legitimate announcement of that subnet (originated 
> > by the customer's ASN) still result in UNKNOWN status, or would it 
> > look like a sub-prefix hijack because the announcement has a 
> > different ASN than the matching prefix?
> The second (and therefore Alex Band's example is not good). But it 
> depends on the value of the MaxLength attribute in the ROA 
> (section 3.3 of RFC 6482).
  unclear as the scenario doesn't depend on the maxLength (wrt the 
current specs). If there are valid covering ROAs in the RPKI and none of 
them match in the origin AS (customer ROA removed), the route prefix is 

  The scenario is similar to the case in which the ISP starts to create 
a ROA for a superblock before the customer adds its route prefix into 
the RPKI ... this happened with AT&T during testing, for example, 


Matthias Waehlisch
.  Freie Universitaet Berlin, Inst. fuer Informatik, AG CST
.  Takustr. 9, D-14195 Berlin, Germany
.. mailto:waehlisch at ieee.org .. http://www.inf.fu-berlin.de/~waehl
:. Also: http://inet.cpt.haw-hamburg.de .. http://www.link-lab.net

More information about the NANOG mailing list