This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ncc-services-wg] RIR DNS management
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Wed Sep 5 22:01:45 CEST 2012
Hi, On Wed, Sep 05, 2012 at 04:53:41PM +0200, Shane Kerr wrote: > On Wednesday, 2012-09-05 15:56:01 +0200, > Gert Doering <gert at space.net> wrote: > > > If it's too costly, I assure you that there are several DNS > > > companies that would be happy to take over the task. > > > > So, how would you authenticate that I'm authorized or not to have a > > DNS delegation for 30.195.in-addr.arpa? Without help of the RIPE NCC? > > People seem to be able to manage this on the routing side today, so > presumably those mechanisms would work here too. Do they? What I've seen here that *works* is "query the RIPE DB for the published route(6): objects for a given AS number, and accept that". What I've seen that does *not* work is "believe if the customer tells you that they own a given network" - one /24 out of my address space was announced by a foreign AS, and their upstream *opened up* their filters to permit it, because the customer called and yelled at them... I'm not aware of any IRRDB *that is properly authenticated* that is not run along the RIR hierarchy - RADB is nice, but since anyone can register anything there, it's worthless for actual verification against purposeful misdoings (or sufficiently advanced fat fingers). RPKI is another option - using RIR hierarchy. > But of course it would be even better to have explicit authorization > mechanisms. Perhaps the RIRs could develop some sort of address > certification technology... ;) That could be done, yes. Using the PKI tech for "DNSOA" certification - but that smells like much more effort than to just run the DNS servers :-) > I'm not seriously proposing separating DNS management from the RIPE NCC, > merely pointing out that all because things have always been done that > way doesn't mean that the necessarily have to be done that way. I agree with you - but still it's enormously comfortable to use the existing knowledge about address space ownership :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 306 bytes Desc: not available URL: </ripe/mail/archives/ncc-services-wg/attachments/20120905/b40e7e1d/attachment.sig>
- Previous message (by thread): [ncc-services-wg] RIR DNS management
- Next message (by thread): [ncc-services-wg] RIR DNS management
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]