more "threads from the crypt" as i catch up to 6000 missed nanog posts. "Dobbins, Roland" <rdobbins@arbor.net> writes:
On Apr 28, 2012, at 5:17 PM, Saku Ytti wrote:
People might scared to rely on DNS on accepting routes, but is this really an issue?
Yes, recursive dependencies are an issue. I'm really surprised that folks are even seriously considering something like this, but OTOH, this sort of thing keeps cropping up in various contexts from time to time, sigh.
so, first, i think you mean circular dependencies not recursive dependencies. second, i'd agree that that's probably bad engineering. third, rsync's dependencies on routing (as in the RPKI+ROA case) are not circular (which i think was david conrad's point but i'll drag it to here.) my reason for not taking ROVER seriously is that route filter preparation is an essentially offline activity -- you do it from a cron job not "live". and to do this you have to know in advance what policy data is available which may or may not have the same coverage as "the routes you will receive between one cron job and the next". we could in other words use DNS to store route policy data if we wanted to use a recursive zone transfer of all policy zones, as a replacement for rsync. (but why would we do this? we have rsync, which worked for IRR data for many years.) ROVER expects that we will query for policy at the instant of need. that's nuts for a lot of reasons, one of which is its potentially and unmanageably circular dependency on the acceptance of a route you don't know how to accept or reject yet. my take-away from this thread is: very few people take RPKI seriously, but even fewer take ROVER seriously. -- Paul Vixie KI6YSY