[arin-announce] ARIN Resource Certification Update

Sorry to be Johnny-come-lately to this...

Right, I've heard the circular dependency arguments. So, are you
suggesting the RPKI isn't going to rely on DNS at all?

correct. it need not.

Maybe I am misunderstand something here... Are (for example) the rsync
processes going to use hard coded IPs? Are the SIAs and AIAs referenced by

I'm of the belief RPKI should NOT be on the critical path, but instead
focus on Internet number resource certification - are you suggesting

<channeling steve kent>
see the word 'certification'? guess where that leads. pki. add
resources and stir.

Sounds like a loose definition of pki. Does DNSSEC count as such a loosely
defined pki? :stuck_out_tongue:

if the latter, then you have the problem that the dns trust model is
not congruent with the routing and address trust model.

That could be easily fixed with trivial tweaks and transitive trust/
delegation graphs that are, I suspect.

not bloody likely. the folk who sign dns zones are not even in the same
building as the folk who deal with address space. in large isps, not
even in the same town.

Why does this stop the whole thing short? I think the people who run any
as-yet-to-be-developed-and-deployed system don't sit in any building at
all... Yet, right? :slight_smile:

Tbqh, I think I might be missing something important (so, please forgive my
ignorance), but I don't see how (for example) admins of the SMTP
infrastructure have trouble getting their MX records right in DNS zones...
How are getting certs in there so much worse?