[RPKI] RPKI repo not loading for some validators after Krill 0.8.1 update

Honghao Zeng nat at nat.moe
Sun Nov 22 04:44:15 UTC 2020


Hi all,

ARIN has confirmed that the issue is on their side:

> Begin forwarded message:
> 
> From: Mark Kosters <markk at arin.net>
> Subject: [arin-tech-discuss] Issue for Delegated Users within ARIN's RPKI Repository
> Date: November 21, 2020 at 11:32:19 PM EST
> To: "arin-tech-discuss at arin.net" <arin-tech-discuss at arin.net>
> 
> Hi
>  
> It was reported to us late this evening (11/21) that there is an issue ARIN’s RPKI repository that affects organizations that use delegated mode. This issue does not affect RPKI users who use the hosted mode. We are in the process of identifying the cause and will have a fix out shortly.
>  
> Regards,
> Mark
> _______________________________________________
> arin-tech-discuss mailing list
> arin-tech-discuss at arin.net <mailto:arin-tech-discuss at arin.net>
> https://lists.arin.net/mailman/listinfo/arin-tech-discuss <https://lists.arin.net/mailman/listinfo/arin-tech-discuss>
It was some very nice timing; this happens right after we upgraded Krill to 0.8.1 yesterday.

Sorry for the noise. 

Regards,
Honghao Zeng

> On Nov 21, 2020, at 9:23 PM, Honghao Zeng <nat at nat.moe> wrote:
> 
> Hi all,
> 
> It appears that this issue applies to all delegated RPKI CA under ARIN: 
> 
> rsync://rpki.multacom.com/repo/MCOMCA/0/
> rsync://rpki.multacom.com/repo/MCOMCA/5/
> rsync://nostromo.heficed.net/repo/1123832/0/
> rsync://rpki.multacom.com/repo/MCOMCA/2/
> rsync://rpki.multacom.com/repo/MCOMCA/3/
> rsync://rpki.multacom.com/repo/MCOMCA/4/
> rsync://rpki.tools.westconnect.ca/repo/WestConnect-CA/0/
> rsync://rpki.qs.nu/repo/qsnu/0/
> rsync://sakuya.nat.moe/repo/NATOCA/0/
> rsync://rpki.admin.freerangecloud.com/repo/FRC-CA/0/
> 
> None of the above is working right now. Cloudflare's RPKI statistics [1] also shows a huge dip (180) in the number of ROAs under ARIN on Nov 20, compares to a normal < 10 ROA removals per day.
> 
> Regards,
> Honghao Zeng
> 
> [1] https://rpki.cloudflare.com/?ohlcTa=ARIN&ohlcDate=18586
> 
>> On Nov 21, 2020, at 6:18 PM, Honghao Zeng via RPKI <rpki at lists.nlnetlabs.nl> wrote:
>> 
>> Hi all,
>> 
>> We operate our own RPKI CA at `sakuya.nat.moe.' It has a child CA `ca.nat.moe.' Both CAs are using Krill. We recently upgraded Krill to 0.8.1 and noticed that `ca.nat.moe' stopped working for some RPKI validators.
>> 
>> Quick debug shows that the entitlement [1] and manifest [2] looks fine. However, Cloudflare and RIPE's RPKI validator appears to ignore the `ca.nat.moe' repo. Our local rpki-client also refuses to load the repo and reports no error. 
>> 
>> Any idea what can be causing this? Also, `jdr.nlnetlabs.nl' appears to be down. 
>> 
>> Best regards,
>> Honghao Zeng
>> 
>> [1] http://console.rpki-client.org/sakuya.nat.moe/repo/NATOCA/0/0108398CA988382C2A509BFDB39E146A76CF9DE0.cer.html
>> [2] http://console.rpki-client.org/ca.nat.moe/repo/NATOLAB/0/0108398CA988382C2A509BFDB39E146A76CF9DE0.mft.html
>> -- 
>> RPKI mailing list
>> RPKI at lists.nlnetlabs.nl
>> https://lists.nlnetlabs.nl/mailman/listinfo/rpki
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20201121/d0fab5e4/attachment.htm>


More information about the RPKI mailing list