martin at nlnetlabs.nl
Wed Jan 27 13:06:31 UTC 2021
Ibar Osman Ibrahim via RPKI wrote:
> I have been installing a Routinator validator so i met an error
> saying that there is an unsafe VRPs so could you please enlighten me,
> Thank you in advance.
> Encountered potentially unsafe VRP (184.108.40.206/24-24, AS47065)
> Encountered potentially unsafe VRP (220.127.116.11/24-24, AS47065)
These are not really errors but more warnings. What happens is that
Routinator marks all VRPs for prefixes that have been delegated to RPKI
CAs that failed to validate for some reason. This was intended as a
mechanism to avoid having routes for prefixes that have been delegated
to more than one CA end up being RPKI invalid by accident. But there
are issues with it so we are currently unsure what to do with it.
In the meantime, you should find messages in the log noting why a CA
that include one of the mentioned prefixes (the CA may have shorter
prefixes, though) was rejected.
 Unless you set unsafe-vrps = "reject" in the config, then these
VRPs will be removed from the VRP set produced by Routinator.
More information about the RPKI