On Fri, Sep 16, 2022 at 7:07 AM Randy Bush <randy@psg.com> wrote:
You could try suggesting IANA/PTI/ICANN to have a different RPKI trust anchor and provide such services to legacy block holders.
the rpki design cabal assumed the iana would be the rpki root. rir power players blocked that. so each rir is 0/0. brilliant, eh?
I'm not fond of that decision either, but at this point it is how it is. We already have the operation of inter-RIR reverse DNS synchronization since each /8 is not single-RIR anymore, and I believe a similar mechanism could have allowed for a single RPKI root. But I note that the 0/0 trust anchors preceded IANA transition to PTI, and that even after the transition, we still have an organization that doesn't have jurisdictional immunity in the US to prevent possible petty challenges to the system. So the world at large still benefits from the multiple trust anchor design, when all trade-offs are accounted for. Rubens