Re: rpki vs. secure dns?

[Samuel Weiler]

On Mon, 28 May 2012, David Conrad wrote:

As far as I can tell, ROVER is simply Yet Another RPKI Access Method 
like rsync and bittorrent with its own positives and negatives.


Not quite.  ROVER's SRO  RLOCK statements have different semantics 
than RPKI ROAs, and there are semantics that may not be (practically) 
expressible in ROVER.


ROVER's semantics depend on DNS zone structure.  The protection 
offered by the RLOCK statement stops when a zone cut is reached -- 
longer routes are allowed unless there's an RLOCK in every descendant 
zone.  Having DNS users care about zone structure is, to quote Rob 
Austein, not normal.


-- Sam Weiler

Re: [arin-announce] ARIN Resource Certification Update

[Samuel Weiler]

[moderation seems slow; resending from subscribed address instead]

On Mon, 24 Jan 2011, Danny McPherson wrote:


I suspect I've sufficiently chummed the waters, I'll kick back and absorb
all the reasons this is a whack idea :)


Short summary: it's not entirely whack, but no one has yet put forward a 
working data model.  The scheme in Bill Manning's INET'98 paper might have 
worked for classFUL addresses, but not CIDR.  I think there may have been 
similar problems with Lutz Donnerhacke and Wouter Wijngaards' scheme(s) from 
2008.


Joe Abley's problem statement on this list gets to one of the issues. Your 
answer to him of New prefix-based RRs?  And perhaps even a new .arpa or 
in-addr.arpa subdomain is a bit short on details.  I challenge you to work out 
the details.  Once we have something concrete, then we can pick apart why it 
won't work, tweak, and repeat.


-- Sam