[alex-g]

> BGP announcements, themselves unencrypted, aren't protected with DNSSEC.

This is true, but only because BGP announcements don't involve DNS, and so all the DNS security in the world won't help. Agreed that there is a lot of scope for doing better on BGP security, though - and indeed DNS security.

[tptacek]

The fact that "all the DNS security in the world won't help" is part of my point. There aren't really any places where "all the DNS security in the world" will help.

[danyork]

> Agreed that there is a lot of scope for doing better on BGP security, though

Yes... and there we go down the path toward BPGSEC, RPKI and other tools that people are developing to help secure the routing infrastructure.