On Jan 24, 2011, at 9:14 PM, Randy Bush wrote:
you want certificates etc? or did you plan to reuse dns keys?
I suspect the former, reusing much of the SIDR machinery perhaps, although....
if the former, than all you are discussing is changing the transport to make routing security rely on dns and dns security. not a really great plan.
Right, I've heard the circular dependency arguments. So, are you suggesting the RPKI isn't going to rely on DNS at all? I'm of the belief RPKI should NOT be on the critical path, but instead focus on Internet number resource certification - are you suggesting otherwise?
if the latter, then you have the problem that the dns trust model is not congruent with the routing and address trust model.
That could be easily fixed with trivial tweaks and transitive trust/ delegation graphs that are, I suspect. -danny