[RPKI] Repository URLs

Ben Maddison benm at workonline.africa
Thu Oct 28 17:36:30 UTC 2021


Hi Chriztoffer, Jacquie,

On 10/28, Chriztoffer Hansen via RPKI wrote:
> On Thu, 28 Oct 2021 at 12:59, Jacquie Zhang via RPKI
> <rpki at lists.nlnetlabs.nl> wrote:
> > If this list changes often and the proxy is not keeping up with the
> > changes, the Routinator will miss some ROA publication points. For
> > our proxy whitelist to work we need this URL list to be static,
> > preferably never changes.
> 
> I recommend setting up alerts regarding changes to RDAP publication
> points. Even automating the updating of the URI whitelist your proxy
> uses. Static configuration should never be expected to be the status
> quo. "The internet is dynamic" (incl. the configuration).
> 
I would advise against even this.
Even an allow list that is updated automatically when new publication
points appear will have a lag during which fetches from those PPs fail.

This is highly likely to result in transient false-invalids, and
associated breakage in BGP.

Cheers,

Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20211028/0759355a/attachment.bin>


More information about the RPKI mailing list