It's an interesting problem, what do other non ARIN members do for their own legacy space for ROA's?
My guess is this is similar to the situation "alternative gTLD root" servers found themselves in many years ago. I bet we could ask common RPKI software to update their default list to include this "legacy" trust anchor. Now would be the time, as the universe of RPKI software is small.
I'm happy to foot the bill for the Krill instance on DigitalOcean or the likes, maybe Chris (VE7ALB) can provide some assistance?
--Matt
On Tue, May 26, 2020 at 2:03 PM Bryan Fields via 44Net < 44net@mailman.ampr.org> wrote:
On 5/25/20 1:29 PM, Quan Zhou via 44Net wrote:
It looks like ARIN supports delegation[0], the model seems like what the relationship between 44net and ARIN now?
If that works, maybe It's like this: ARIN delegates [44/9, 44.128.0.0/10] to AMPRNet/ARDC, and they run a subordinate CA to issue RV records. Configure and keep running a compliant CA can be a real challenging though.
ARDC is not an ARIN member, ARIN will not delegate to them. Full Stop.
If this is going to be a thing, it would have to be outside ARIN. I'd be in-favor of assisting on this, but we'd need buy-in from the users of RPKI to recognize the amateur certs. -- Bryan Fields
727-409-1194 - Voice http://bryanfields.net
44Net mailing list 44Net@mailman.ampr.org https://mailman.ampr.org/mailman/listinfo/44net