Re: [arin-announce] ARIN Resource Certification Update
Sorry to be Johnny-come-lately to this... On 1/24/11 6:31 PM, "Randy Bush" <randy@psg.com> wrote:
Right, I've heard the circular dependency arguments. So, are you suggesting the RPKI isn't going to rely on DNS at all?
correct. it need not.
Maybe I am misunderstand something here... Are (for example) the rsync processes going to use hard coded IPs? Are the SIAs and AIAs referenced by IP?
I'm of the belief RPKI should NOT be on the critical path, but instead focus on Internet number resource certification - are you suggesting otherwise?
<channeling steve kent> see the word 'certification'? guess where that leads. pki. add resources and stir.
Sounds like a loose definition of pki. Does DNSSEC count as such a loosely defined pki? :-P
if the latter, then you have the problem that the dns trust model is not congruent with the routing and address trust model. That could be easily fixed with trivial tweaks and transitive trust/ delegation graphs that are, I suspect.
not bloody likely. the folk who sign dns zones are not even in the same building as the folk who deal with address space. in large isps, not even in the same town.
Why does this stop the whole thing short? I think the people who run any as-yet-to-be-developed-and-deployed system don't sit in any building at all... Yet, right? :) Tbqh, I think I might be missing something important (so, please forgive my ignorance), but I don't see how (for example) admins of the SMTP infrastructure have trouble getting their MX records right in DNS zones... How are getting certs in there so much worse? Eric
participants (1)
-
Osterweil, Eric