> and will all rirs issue an as0 for 10/8? nice. at least, if i use net > 10 internally, my local root ca's roas for it will override your 5 or > whatever as0 roas.
This is a good operating model I think. If I wanted some assurance of internal intent, I would do this. A SLURM file is simpler, less overhead, but I would probably do what you are doing here. (I don't have this burden, I don't operate routing-active systems) > > We proposed this during initial deployment to ensure we had a > > make-before-break outcome for relying parties, but it does reduce > > uptake (during the test period at best <100 people have participated) > > perhaps because ops seem disinclined to complex tal management. Yes. I think thats very likely but we are talking about a small number at this stage, the distinction here being what is included in s/w distribution for most people. > > If we include the AS0 under the mainline TAL, then this is 'opt out' > > behaviour for RP's (they would have to do conscious work e.g. locally > > managed SLURM) to re-validate prefixes, rather than opt-in. > > back to an unauthenticated slurm, eh? Well caught. I think use of this kind of "magic override" is not the first preference, but its logistically simple. I don't like the model of sourcing a SLURM file from outside. Its a local-override mechanism. Di Ma published how to distribute slurm over trusted communications, and I commented about how I still feel uncomfortable about the lack of validation in what SLURM says. > > randy, who also did not like or use the dnssec dlv hack Neither did I FWIW. -G
