[RPKI] Routinator repository blacklisted

Lukas Tribus lukas at ltri.eu
Tue Nov 29 23:24:22 UTC 2022


On Tue, 29 Nov 2022 at 23:38, Slav Messetchkov via RPKI
<rpki at lists.nlnetlabs.nl> wrote:
>
> Hi Alex,
>
> Thanks for your reply and clarifications!
>
> I'm still puzzled about what constitutes a "Repository" and how it is administered. I have trouble
> understanding how a tiny entity like mnihyc, publishing a single IPv6 /40 range can be listed
> together with ARIN, RIPE, and the likes.

They keyword here is delegated RPKI, I strongly suggest going through
some of the following documents to get a better understanding of it:

https://rpki.readthedocs.io/en/latest/rpki/implementation-models.html
https://www.ripe.net/participate/meetings/open-house/ripe-ncc-open-house-hosted-vs-delegated-rpki
https://www.arin.net/resources/manage/rpki/delegated/


Regarding your Spamhaus blocklist: AFAIK this list serves the purpose
of protecting the end-user of spam/phishing and other malicious
end-user threats. However a RPKI validator is not a browser, and a RTR
client is not an end user. The goal of the spamhouse blocklist has
nothing to do with RPKI validation and a RPKI validator does not
belong behind a spamhouse protected DNS recursor, especially one that
actively creates alerts when there are blacklist matches (which I
assume triggered your investigation).

You wouldn't ask your car mechanic to wear a seat belt while changing
the oil on your car, just because wearing a seat belt makes driving a
vehicle on the street a lot safer.


- lukas


More information about the RPKI mailing list