[rssac-caucus] Best Practices for the Distribution of Anycast Instances of the Root Name Service WP Conclusion
Paul Vixie
paul at redbarn.org
Wed Feb 7 07:21:45 UTC 2018
Di Ma wrote:
> The RPKI itself does not necessarily indicates signing BGP messages.
>
> ...
>
> Given the BGPSEC deployment and application is more complicated and
> might have a long to way to go overwhelming, I would suggest the RSOs
> work with RIR to publish their ROAs as they employ the RPKI “as a
> potential way to assure route origin authenticity in the future” .
all rpki use today is prospective. it relies on people publishing ROAs
even knowing that there's no benefit (nobody is rejecting unsigned
routes or even preferring signed over unsigned paths) and some cost (as
people begin to actually verify, both the verification and the signing
will at first be fragile and error-prone).
i am likely to participate in this prospective rpki activity,
personally, because as with ipv6 and dnssec, there is a significant
last-mover advantage, which means somebody has to go first when it still
makes no sense, and that's what i always do.
i do not however agree that the RSO's ought to participate in this
road-paving exercise. they should sign when it makes actual sense on
that day for them to sign -- not to enable some idealized future.
--
P Vixie
More information about the rssac-caucus
mailing list