In message <20200103215429.GF93721@hanna.meerval.net>, Job Snijders <job@ntt.net> wrote:
{... snipped ...}
My apologies to Job, and to everyone, for my somewhat hasty and improper generalizations about non-RIPE IRRs generally. We agree that the RIPE IRR is at present very good, but my comments could certainly be read/misconstrued as me casting unwarranted aspersions on all others, which I quite clearly should not be doing. Many others are doing a fine fine job of vetting things and providing very accurate data also. That having been said, I cannot resist the temptation to poke at this one bit of relevant information that Job shared:
Current RIRs:
* All RPKI ROAs (under all of the five RIRs) are validated * RIPE NCC's "RIPE" IRR source is validated (but "RIPE-NONAUTH" is not). * APNIC's IRR source "APNIC" is 100% validated * AFRINIC's IRR source "AFRINIC" is 100% validated
That last one is a bit problematic, as I hope and trust everyone here now knows. I have been waiting for the right moment to note that although RPKI has been widely touted, including by myself, as the thing that will in future save us all, it isn't quite the ultimate and perfect solution for routing security, at least not if it turns out that the folks who sit at the roots of the trust linkages cannot themselves be trusted. But I suppose that this is an entirely superfluous observation for me to offer up. Everyone who even vaguely understands chains of trust and their relationship to routing, as I do, vaguely, will have already grasped this rather obvious point. Meanwhile, on the other side, folks who lack even a vague grasp of the RPKI trust model won't be enlightened just because I said what I just said. Regards, rfg