On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley <jabley@hopcount.ca> wrote:
On 2011-01-24, at 20:24, Danny McPherson wrote:
<separate subject> Beginning to wonder why, with work like DANE and certificates in DNS in the IETF, we need an RPKI and new hierarchical shared dependency system at all and can't just place ROAs in in-addr.arpa zone files that are DNSSEC-enabled.
<snip>
But what about this case?
RIR allocates 10.0.0.0/8 to A A allocates 10.0.0.0/16 to B B allocates 10.0.0.0/24 to C
In this case the DNS delegations go directly from RIR to C; there's no opportunity for A or B to sign intermediate zones, and hence no opportunity for them to indicate the legitimacy of the allocation.
it's not the best example, but I know that at UUNET there were plenty of examples of the in-addr tree not really following the BGP path. -chris