> There could be more hosted providers. RIRs are by not means the only ones. > In fact, it would be very similar to the registry-registar model.
Well, I am more partial to your first comment (not just RIRs), but I think it is very _very_ different than the registrant, registrar, registry model. > The whole scenario does not seem to different to me if you host your DNS > services and your registrar/hosted are DDoSed and you cannot change your > NS records. If _your_ registrar gets DDoS'ed, but _mine_ does not, I'll be fine. THe interface between registrars and the registry is not open for others to bang on. It's out there, but the front door is not in broad view of the street. > And in the same fashion to DNS hosted solutions, RPKI-hosted are aimed to > specific organizations. If you want to be independent from any hosted > solution, run your own DNS servers or your own CA. Actually, this was my point. > The fact that hosted solutions are not DDoS resistant today does not mean > that they cannot be in the future. The fact that we're painting the floor doesn't mean we'll paint ourselves into a corner either. Yet, if we aren't careful... > This (RPKI in general, repositories, hosted solution) is very new and > still evolving. I take your concerns very seriously and a value input for > improvement. Thanks, I appreciate that. > I found a bit hard to engineer a system without specs. I thought that this > thread was about precisely about BGPSEC specs. Once we have the specs, > then hosted-rpki solutions can incorporate them. Well, we _ought_ to be talking about requirements, and that ought to shape the specs. That said, I think it is plain to all that BGPsec is planning to put router EE certs into the RPKI, and that caches will need to fetch them. The rest... well, that's a separate thread about requirements. :) Eric _______________________________________________ sidr mailing list [email protected] https://www.ietf.org/mailman/listinfo/sidr
