We are working on a PoC in regards to DR with AWS. We are doing BYOIP and were asked to create an ROA record which I can easily understand. But AWS also requests an X.509 certificate as per: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html which needs to be added to a new "descr:" tag They state in their page: "When you provision an address range for use with AWS, you are confirming that you control the address range and are authorizing Amazon to advertise it. We also verify that you control the address range through a signed authorization message. This message is signed with the self-signed X.509 key pair that you used when updating the RDAP record with the X.509 certificate. AWS requires a cryptographically signed authorization message that it presents to the RIR. The RIR authenticates the signature against the certificate that you added to RDAP, and checks the authorization details against the ROA." Why isn't creating an ROA proof enough that I control the address range? Why 2 forms of authentication needed (ROA & X.509)? What will happen to the pollution of the descr tag if others like Azure and GCP decide on something similar? Should the community form a standard rather than let the descr field become polluted? Regards, Hank