[RPKI] Routinator repository blacklisted

Rick Wanner rick.wanner at sasktel.com
Tue Nov 29 14:07:29 UTC 2022 

This is why it is included in the Spamhaus Bad Reputation RPZ blocklist

https://check.spamhaus.org/listed/?searchterm=mnihyc.com


Rick Wanner MSISE

Enterprise CyberSecurity
2121 Saskatchewan Drive
Regina, SK  S4P 3Y2
c: 306.533.1812
e: rick.wanner at sasktel.com<mailto:rick.wanner at sasktel.com>
SecURITy - Security You Are It!
<https://www.twitter.com/namedeplume/>

________________________________
From: Slav Messetchkov <slav.messetchkov at sasktel.com>
Sent: November 28, 2022 5:58 PM
To: rpki at lists.nlnetlabs.nl <rpki at lists.nlnetlabs.nl>
Cc: Takaya Ono <takaya.ono at sasktel.com>; Kim Huartson <kim.huartson at sasktel.com>; Rick Wanner <rick.wanner at sasktel.com>
Subject: Routinator repository blacklisted


Hello,



We have been using Routinator as RPKI ROA proxy for several months now. Recently we noticed that the following sites, which are listed amongst Routinator’s repositories, have been blacklisted on Gremlins, and access to them is being blocked by our Spamhaus RPZ:



rpki-rrdp.mnihyc.com

rpki-rsync.mnihyc.com



They are currently being blocked approximately 1000 times per day.



List of Blacklists:

List:  DRBL vote node gremlin.ru  Host:  vote.drbl.gremlin.ru  Rating:  3

List:  DRBL work node gremlin.ru  Host:  work.drbl.gremlin.ru  Rating:  3



Apparently this has been happening on and off for at least six months.



Has anyone else run into that? Are these sites trustworthy? And more broadly, how is the Repositories’ security posture validated? In our experience the Spamhaus feed has a very low false-positive count, so for now we’re treating this as a threat and blocking it. If a site is compromised, is there a way to drop it from the list of Repositories, so that Routinator doesn’t send 1000s of unnecessary requests daily?



Thanks in advance for any advice on this matter!



Slav Messetchkov

Sr. Engineer Core Network & Service Development

SaskTel, TSI/NSD

NOTICE: This confidential e-mail message is only for the intended recipients. If you are not the intended recipient, be advised that disclosing, copying, distributing, or any other use of this message, is strictly prohibited. In such case, please destroy this message and notify the sender.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/rpki/attachments/20221129/a5f25b5b/attachment.htm>

More information about the RPKI mailing list