[afnog] RPKI

Randy Bush randy at psg.com
Fri Jul 31 10:20:47 UTC 2015

> In RPKI, the TA's are typically the RIR's (AFRINIC, APNIC, ARIN, LACNIC
> and RIPE). However, there could be other TA's that are not necessarily
> RIR's, provided you trust them as an RPKI operator. For example, the
> RPKI.net project provides their own "altca" TA. Because I know Randy and
> Rob, I trust that TA and use it.

and let's not forget the ersatz CAs the RIRs have hacked to allow
inter-rir transfer.  see draft-ymbk-sidr-transfer-01.txt

> The final goal was to harmonize the TA structure such that RP tools do
> not query all available TA's, but rather, query a single TA that,
> in-turn, is authoritative for all other TA's out there. This has never
> materialized, for various reasons, I assume. But I believe there is
> some work going on this area.

dealing with the insanity of not having a single dns trust anchor meant
i, an op, had to manage hundreds of trust anchors.  not feasible.
dealing with a dozed rpki trust anchors is doable.  so i am being


More information about the afnog mailing list