On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jab...@hopcount.ca> wrote: > > On 2011-01-24, at 20:24, Danny McPherson wrote: > >> <separate subject> >> Beginning to wonder why, with work like DANE and certificates in DNS >> in the IETF, we need an RPKI and new hierarchical shared dependency >> system at all and can't just place ROAs in in-addr.arpa zone files that are >> DNSSEC-enabled. <snip> > But what about this case? > > RIR allocates 10.0.0.0/8 to A > A allocates 10.0.0.0/16 to B > B allocates 10.0.0.0/24 to C > > In this case the DNS delegations go directly from RIR to C; there's no > opportunity for A or B to sign intermediate zones, and > hence no opportunity for them to indicate the legitimacy of the allocation.
it's not the best example, but I know that at UUNET there were plenty of examples of the in-addr tree not really following the BGP path. -chris
