rpki vs. secure dns?
David Conrad
drc at virtualized.org
Tue May 29 14:21:35 UTC 2012
On May 29, 2012, at 4:02 AM, paul vixie wrote:
>>> i can tell more than that. rover is a system that only works at all
>>> when everything everywhere is working well, and when changes always
>>> come in perfect time-order,
>> Exactly like DNSSEC.
>
> no. dnssec for a response only needs that response's delegation and
> signing path to work, not "everything everywhere".
My impression was that ROVER does not need "everything, everywhere" to work to fetch the routing information for a particular prefix -- it merely needs sufficient routing information to follow the delegation and signing path for the prefix it is looking up. However, I'll admit I haven't looked into this in any particular depth so I'm probably wrong.
Regards,
-drc
More information about the NANOG
mailing list