On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote:
> On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jab...@hopcount.ca> wrote:
>>
>> On 2011-01-24, at 20:24, Danny McPherson wrote:
>>
>>> <separate subject>
>>> Beginning to wonder why, with work like DANE and certificates in DNS
>>> in the IETF, we need an RPKI and new hierarchical shared dependency
>>> system at all and can't just place ROAs in in-addr.arpa zone files that are
>>> DNSSEC-enabled.
> <snip>
>> But what about this case?
>>
>> RIR allocates 10.0.0.0/8 to A
>> A allocates 10.0.0.0/16 to B
>> B allocates 10.0.0.0/24 to C
>>
>> In this case the DNS delegations go directly from RIR to C; there's no
>> opportunity for A or B to sign intermediate zones, and
>> hence no opportunity for them to indicate the legitimacy of the allocation.
>
> it's not the best example, but I know that at UUNET there were plenty
> of examples of the in-addr tree not really following the BGP path.
>
The other essential point is that routers don't do RPKI queries in
real-time; rather, they have a copy of the entire RPKI database, which
they update as needed. In other words, the operational model doesn't
fit the way the DNS works.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
