re alex's preso on how the ripe/ncc roa generation gui works, with help
from geoff, the latest version of draft-ietf-sidr-origin-ops gives more
detailed advice on the subject.
Use of RPKI-based origin validation obviates the utility of
announcing many longer prefixes when the covering prefix would do.
To aid translation of ROAs into efficient search algorithms in
routers, ROAs SHOULD be as precise as possible, i.e. match prefixes
as announced in BGP. E.g. software and operators SHOULD avoid use of
excessive max length values in ROAs unless operationally necessary.
Therefore, ROA generation software MUST use the prefix length as the
max length if the user does not specify a max length.
Operators SHOULD be conservative in use of max length in ROAs. E.g.,
if a prefix will have only a few sub-prefixes announced, multiple
ROAs for the specific announcements SHOULD be used as opposed to one
ROA with a long max length.
the third para specifically addresses the issue alex raised, thanks
alex.
randy