Sorry to be Johnny-come-lately to this...
On 1/24/11 6:31 PM, "Randy Bush" <ra...@psg.com> wrote: >> Right, I've heard the circular dependency arguments. So, are you >> suggesting the RPKI isn't going to rely on DNS at all? > > correct. it need not. Maybe I am misunderstand something here... Are (for example) the rsync processes going to use hard coded IPs? Are the SIAs and AIAs referenced by IP? > >> I'm of the belief RPKI should NOT be on the critical path, but instead >> focus on Internet number resource certification - are you suggesting >> otherwise? > > <channeling steve kent> > see the word 'certification'? guess where that leads. pki. add > resources and stir. Sounds like a loose definition of pki. Does DNSSEC count as such a loosely defined pki? :-P > >>> if the latter, then you have the problem that the dns trust model is >>> not congruent with the routing and address trust model. >> That could be easily fixed with trivial tweaks and transitive trust/ >> delegation graphs that are, I suspect. > > not bloody likely. the folk who sign dns zones are not even in the same > building as the folk who deal with address space. in large isps, not > even in the same town. Why does this stop the whole thing short? I think the people who run any as-yet-to-be-developed-and-deployed system don't sit in any building at all... Yet, right? :) Tbqh, I think I might be missing something important (so, please forgive my ignorance), but I don't see how (for example) admins of the SMTP infrastructure have trouble getting their MX records right in DNS zones... How are getting certs in there so much worse? Eric
