On Tue, Jan 27, 2026 at 07:03:15AM -0800, Ca By via NANOG wrote:
That is why the IETF made geofeeds.
My customers started having outages because geolocation firms have bad data, and enterprises use that bad data in firewall and cdn rules which cause outages. For example, geolocation firms provide data that a customer IP is in xyz country but the firewall rules only allow abc country…
Anyhow, as a person who publishes geofeed data representing 100s of millions of users, please …everyone… publish and consume first party geofeed data and do not listen to FUD from people trying to sell you the same data that we publish for free.
Geofeed indeed makes for an interesting information source and seems a useful tool to have in the toolbox. Unfortunately, the approach described in the RFC how to authenticate Geofeed data using the RPKI turned out to be a dud: in the last few years I've been unable to find any other people willing to implement & support the scheme. I've come to suspect this failure in market adoption is because the Geofeed authenticator design is just too unergonomic. But whatever the reason, I've not seen anyone on this planet (other than myself) publish Geofeed data with an authenticator. I stopped signing mine. So, as it stands, Geofeed information generally is published & consumed with weak controls on semantic correctness, integrity & authenticity. Perhaps that's fine for what it is? Kind regards, Job ps. Geofeed's failure to take advantage of the RPKI doesn't bode well for the usability of other "Geofeed-inspired" authentication schemes. The IETF should do a better job weeding out such unpractical workflows, for instance by requiring demonstration of actual implementations before RFC publication.