<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<p><span style="font-size: 10pt;">Right, so this indicates from Krill’s perspective that the dialogue is working but it gets an authoritative response saying it can’t have resources. I think you should talk to the ripe NCC then. It appears that this is not technical issue with krill, but I hope you will get it resolved soon of course. And if you or the RIPE NCC do suspect there still is an issue in Krill please let me know.</span></p>
<p><br /></p>
<p><span style="font-size: 10pt;">Tim</span></p>
<p id="reply-intro"><br />On 2021-07-08 23:09, Christopher Munz-Michielin via RPKI wrote:</p>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<div id="replybody1">
<div>
<p>And here is the CLI output:</p>
<p>Parent: RIPE-FRC<br />URI: <a class="v1moz-txt-link-freetext" href="http://lirportal.ripe.net/certification/updown" target="_blank" rel="noopener noreferrer">http://lirportal.ripe.net/certification/updown</a><br />Status: success<br />Last contacted: 2021-07-08T21:03:07+00:00<br />Next contact on or before: 2021-07-08T21:13:07+00:00<br />Resource Entitlements: asn: , v4: , v6:<br /> resource class: DEFAULT<br /> issuing cert uri: rsync://rpki.ripe.net/repository/aca/KpSo3VVK5wEHIJnHC2QHVV3d5mk.cer<br /> received certificate(s):</p>
<p>Which is interesting because it does appear that RIPE is no longer issuing any of our entitlements. </p>
<p><br /></p>
<div class="v1moz-cite-prefix">On 08/07/2021 13:42, Christopher Munz-Michielin via RPKI wrote:</div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<p>Hi Tim,</p>
<p>Thanks for the reply. I have confirmed that the entitlements displayed in the UI are the same as before the issue, specifically:</p>
<p><span style="color: #606266; font-family: Lato, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgba(255, 255, 255, 0.953); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">ASN: AS59893, AS211591</span><br style="color: #606266; font-family: Lato, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgba(255, 255, 255, 0.953); text-decoration-style: initial; text-decoration-color: initial;" /><span style="color: #606266; font-family: Lato, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgba(255, 255, 255, 0.953); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">IPv4: 45.148.76.0/22</span><br style="color: #606266; font-family: Lato, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgba(255, 255, 255, 0.953); text-decoration-style: initial; text-decoration-color: initial;" /><span style="color: #606266; font-family: Lato, sans-serif; font-size: 12px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgba(255, 255, 255, 0.953); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">IPv6: 2a0f:9400::/29</span></p>
<p><br />I'll try and get the CLI output as well.</p>
<p>Chris</p>
<div class="v1moz-cite-prefix">On 08/07/2021 13:34, Tim Bruijnzeels wrote:</div>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<pre class="v1moz-quote-pre">Hi Christopher,
This is strange indeed. It sounds a bit like your resource entitlements under RIPE NCC may have changed.
Going with that assumption:
Krill will only allow you to create ROAs for prefixes that you hold on a certificate (or any certificate under any parent if you have multiple). However if you lose the resource on your certificate then it can no longer create the signed ROA objects. What is confusing - and I should prioritise this higher I now realise - is that the UI and API will list your previously configured "Authorisations" still. These are not actual ROAs but your intent to create ROAs if you see what I mean. If you get back the resources then the ROA objects will be re-created automatically. What is missing from the UI though is a clear indication which "Authorisation" configs would be for space you no longer hold on your certificates.
Can you check the status and resources under each parent?
You can look at the 'parents' tab in the UI, but if you have access to the CLI then please run:
krillc parents statuses --ca <your-ca>
This gives a little more info than the UI I think. You can also run this command with --format json to get even more info.
If you prefer you can share your results with <a class="v1moz-txt-link-abbreviated" href="mailto:rpki-team@nlnetlabs.nl" rel="noreferrer">rpki-team@nlnetlabs.nl</a> instead of this list - of course we would be more than happy to report back when we get further.
Kind regards,
Tim, on behalf of the NLnet Labs RPKI Team
</pre>
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<pre class="v1moz-quote-pre">On 8 Jul 2021, at 21:05, Christopher Munz-Michielin via RPKI <a class="v1moz-txt-link-rfc2396E" href="mailto:rpki@lists.nlnetlabs.nl" rel="noreferrer"><rpki@lists.nlnetlabs.nl></a> wrote:
Hi All,
Got a weird issue with Krill and publishing RIPE ROAs. Background: We have been running Krill with 1 RIPE, 2 ARIN and 1 APNIC parents for the better part of a year without issue, but yesterday we started receiving reports that all our RIPE ROAs had been dropped, indeed when I look at <a class="v1moz-txt-link-freetext" href="https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frsync%2Frpki.ripe.net%2Frepository%2FDEFAULT%2F3JsPwPrhyzvSi50Bqvw1Y_2pUdo.cer" target="_blank" rel="noopener noreferrer">https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frsync%2Frpki.ripe.net%2Frepository%2FDEFAULT%2F3JsPwPrhyzvSi50Bqvw1Y_2pUdo.cer</a> <a class="v1moz-txt-link-rfc2396E" href="https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frsync%2Frpki.ripe.net%2Frepository%2FDEFAULT%2F3JsPwPrhyzvSi50Bqvw1Y_2pUdo.cer" target="_blank" rel="noopener noreferrer"><https://jdr.nlnetlabs.nl/#/search/%2Frpki-repo%2Frsync%2Frpki.ripe.net%2Frepository%2FDEFAULT%2F3JsPwPrhyzvSi50Bqvw1Y_2pUdo.cer></a> this does appear to be the case.
I have verified all the ROA's exist via the Krill API as well as in the GUI. So far I have tried restarting Krill, Deleting and re-adding some ROAs, as well as deleting the delegation from RIPE and re-creating it all to no avail. I'm at the point where I'm getting ready to blow the whole setup away and rebuild from scratch, but figured I would reach out here first to see if anyone has a suggestion to recover from this weird situation.
Version of krill is 0.8.2 on ubuntu 20.04 installed from the package manager. No other RIR's seem to be effected by this.
--
RPKI mailing list
<a class="v1moz-txt-link-abbreviated" href="mailto:RPKI@lists.nlnetlabs.nl" rel="noreferrer">RPKI@lists.nlnetlabs.nl</a>
<a class="v1moz-txt-link-freetext" href="https://lists.nlnetlabs.nl/mailman/listinfo/rpki" target="_blank" rel="noopener noreferrer">https://lists.nlnetlabs.nl/mailman/listinfo/rpki</a>
</pre>
</blockquote>
</blockquote>
<br /><fieldset class="v1mimeAttachmentHeader"></fieldset></blockquote>
</div>
</div>
<br />
<div class="pre" style="margin: 0; padding: 0; font-family: monospace"> </div>
</blockquote>
<p><br /></p>
</body></html>