On Fri, 28 Feb 2003, Vadim Antonov wrote:
Thank you very much, but no.
DNS (and DNSSEC) relies on working IP transport for its operation.
Doesn't sBGP also have this problem? A catch-22 where you have to have good routing to get good routing? Or did I miss something?
Now you effectively propose to make routing (and so operation of IP transport) dependent on DNS(SEC).
Am I the only one who sees the problem?
--vadim
PS. The only sane method for routing info validation I've seen so far is the plain old public-key crypto signatures.
On 1 Mar 2003, Paul Vixie wrote:
It wouldn't be too hard for me to trust:
4969.24.origin.0.254.200.10.in-addr.arpa returning something like "true." to check whether 4969 is allowed to originaate 10.200.254.0/24. ...
at last, an application for dnssec!