In article <10321.15111.31594@avi.netaxs.com> Vadim wrote: : Thank you very much, but no. : DNS (and DNSSEC) relies on working IP transport for its operation. Good point. However - Routers rely on having enough CPU and RAM to do transport as well, and router engineers rely on not running offboard boxes in strange configurations that are more likely to cause that which is the biggest of problems on the Internet - humans getting confused and stuffing things up. Problems abound with every approach. : Now you effectively propose to make routing (and so operation of IP : transport) dependent on DNS(SEC). : Am I the only one who sees the problem? Probably not, but lots of us see problems with S-BGP as constituted now. Lots of work has gone into something that is highly unlikely to be deployed in any major core network. : --vadim Rather than flame each other, maybe we can have a shoot-the-shit discussion of the underlying problem (lack of authentication of routing AND of packet sources), perhaps at IETF or NANOG, at the pre-draft stage. Maybe people will agree, but it might be productive. : PS. The only sane method for routing info validation I've seen so far is : the plain old public-key crypto signatures. Avi
participants (1)
-
Avi Freedman