[RPKI] RPKI repo not loading for some validators after Krill 0.8.1 update

Honghao Zeng nat at nat.moe
Sun Nov 22 02:23:39 UTC 2020


Hi all,

It appears that this issue applies to all delegated RPKI CA under ARIN: 

rsync://rpki.multacom.com/repo/MCOMCA/0/
rsync://rpki.multacom.com/repo/MCOMCA/5/
rsync://nostromo.heficed.net/repo/1123832/0/
rsync://rpki.multacom.com/repo/MCOMCA/2/
rsync://rpki.multacom.com/repo/MCOMCA/3/
rsync://rpki.multacom.com/repo/MCOMCA/4/
rsync://rpki.tools.westconnect.ca/repo/WestConnect-CA/0/
rsync://rpki.qs.nu/repo/qsnu/0/
rsync://sakuya.nat.moe/repo/NATOCA/0/
rsync://rpki.admin.freerangecloud.com/repo/FRC-CA/0/

None of the above is working right now. Cloudflare's RPKI statistics [1] also shows a huge dip (180) in the number of ROAs under ARIN on Nov 20, compares to a normal < 10 ROA removals per day.

Regards,
Honghao Zeng

[1] https://rpki.cloudflare.com/?ohlcTa=ARIN&ohlcDate=18586

> On Nov 21, 2020, at 6:18 PM, Honghao Zeng via RPKI <rpki at lists.nlnetlabs.nl> wrote:
> 
> Hi all,
> 
> We operate our own RPKI CA at `sakuya.nat.moe.' It has a child CA `ca.nat.moe.' Both CAs are using Krill. We recently upgraded Krill to 0.8.1 and noticed that `ca.nat.moe' stopped working for some RPKI validators.
> 
> Quick debug shows that the entitlement [1] and manifest [2] looks fine. However, Cloudflare and RIPE's RPKI validator appears to ignore the `ca.nat.moe' repo. Our local rpki-client also refuses to load the repo and reports no error. 
> 
> Any idea what can be causing this? Also, `jdr.nlnetlabs.nl' appears to be down. 
> 
> Best regards,
> Honghao Zeng
> 
> [1] http://console.rpki-client.org/sakuya.nat.moe/repo/NATOCA/0/0108398CA988382C2A509BFDB39E146A76CF9DE0.cer.html
> [2] http://console.rpki-client.org/ca.nat.moe/repo/NATOLAB/0/0108398CA988382C2A509BFDB39E146A76CF9DE0.mft.html
> -- 
> RPKI mailing list
> RPKI at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/rpki



More information about the RPKI mailing list