[ncc-services-wg] RIR DNS management
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Wed Sep 5 22:01:45 CEST 2012
Hi, On Wed, Sep 05, 2012 at 04:53:41PM +0200, Shane Kerr wrote: > On Wednesday, 2012-09-05 15:56:01 +0200, > Gert Doering <gert at space.net> wrote: > > > If it's too costly, I assure you that there are several DNS > > > companies that would be happy to take over the task. > > > > So, how would you authenticate that I'm authorized or not to have a > > DNS delegation for 30.195.in-addr.arpa? Without help of the RIPE NCC? > > People seem to be able to manage this on the routing side today, so > presumably those mechanisms would work here too. Do they? What I've seen here that *works* is "query the RIPE DB for the published route(6): objects for a given AS number, and accept that". What I've seen that does *not* work is "believe if the customer tells you that they own a given network" - one /24 out of my address space was announced by a foreign AS, and their upstream *opened up* their filters to permit it, because the customer called and yelled at them... I'm not aware of any IRRDB *that is properly authenticated* that is not run along the RIR hierarchy - RADB is nice, but since anyone can register anything there, it's worthless for actual verification against purposeful misdoings (or sufficiently advanced fat fingers). RPKI is another option - using RIR hierarchy. > But of course it would be even better to have explicit authorization > mechanisms. Perhaps the RIRs could develop some sort of address > certification technology... ;) That could be done, yes. Using the PKI tech for "DNSOA" certification - but that smells like much more effort than to just run the DNS servers :-) > I'm not seriously proposing separating DNS management from the RIPE NCC, > merely pointing out that all because things have always been done that > way doesn't mean that the necessarily have to be done that way. I agree with you - but still it's enormously comfortable to use the existing knowledge about address space ownership :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: <https://lists.ripe.net/ripe/mail/archives/ncc-services-wg/attachments/20120905/b40e7e1d/attachment.sig>
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]