If you're not on the routing-wg mailing list, there's something you should know
-------- Forwarded Message -------- Subject: [routing-wg] RPKI Outage Post-Mortem Date: Tue, 25 Feb 2020 15:12:15 +0100 From: Nathalie Trenaman nathalie@ripe.net To: routing-wg@ripe.net
Dear colleagues,
From Saturday 22 February at 08:24 (CET), any newly created, modified, or deleted ROAs (176 in total) could not be added to our publication server due to a disk problem. From that moment on, all the data was stored on the database, but the publication did not happen. The disk did not report any problems and, therefore, no engineer was alerted of this incident.
Due to the disk problem, starting from Sunday 23 February at 09:10 (CET), our CRL expired and our repository could not be properly updated. This was reported to us on Monday 24 February at 11:44 (CET). Immediately, our engineers fixed the disk problem, however, since the CRL expired, all underlying objects also expired. Depending on the Relying Party software an operator used, this abnormal behaviour appeared differently.
Initially, our engineers tried to do a full re-population of the RPKI repository, but unfortunately, this did not update the CRL in the validation tree. At 15:03 (CET), we performed a full CA key-roll, which was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET), all objects in the backlog were published.
We apologise for any inconvenience this may have caused and we are taking all the necessary steps to ensure this incident does not appear again in the future.
Kind regards,
Nathalie Trenaman Routing Security Programme Manager RIPE NCC
Hi Massimiliano,
It would be nice to clarify which CA was rolled-over. Was it the root key that is present in the TAR files or the root RIPE CA or the hosted-CA keys?
Regards, Roque
On Tue, Feb 25, 2020 at 3:31 PM Massimiliano Stucchi max@stucchi.ch wrote:
If you're not on the routing-wg mailing list, there's something you should know
-------- Forwarded Message -------- Subject: [routing-wg] RPKI Outage Post-Mortem Date: Tue, 25 Feb 2020 15:12:15 +0100 From: Nathalie Trenaman nathalie@ripe.net To: routing-wg@ripe.net
Dear colleagues,
From Saturday 22 February at 08:24 (CET), any newly created, modified, or deleted ROAs (176 in total) could not be added to our publication server due to a disk problem. From that moment on, all the data was stored on the database, but the publication did not happen. The disk did not report any problems and, therefore, no engineer was alerted of this incident.
Due to the disk problem, starting from Sunday 23 February at 09:10 (CET), our CRL expired and our repository could not be properly updated. This was reported to us on Monday 24 February at 11:44 (CET). Immediately, our engineers fixed the disk problem, however, since the CRL expired, all underlying objects also expired. Depending on the Relying Party software an operator used, this abnormal behaviour appeared differently.
Initially, our engineers tried to do a full re-population of the RPKI repository, but unfortunately, this did not update the CRL in the validation tree. At 15:03 (CET), we performed a full CA key-roll, which was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET), all objects in the backlog were published.
We apologise for any inconvenience this may have caused and we are taking all the necessary steps to ensure this incident does not appear again in the future.
Kind regards,
Nathalie Trenaman Routing Security Programme Manager RIPE NCC
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hi Roque,
On 25/02/2020 15:45, Roque Gagliano wrote:
Hi Massimiliano,
It would be nice to clarify which CA was rolled-over. Was it the root key that is present in the TAR files or the root RIPE CA or the hosted-CA keys?
I have no idea. I don't work at RIPE NCC anymore, but I would say you can get directly in contact with Nathalie and I'm pretty sure she'll be happy to follow up.
Ciao!
On Tue, Feb 25, 2020 at 04:04:33PM +0100, Massimiliano Stucchi wrote:
Hi Roque,
On 25/02/2020 15:45, Roque Gagliano wrote:
Hi Massimiliano,
It would be nice to clarify which CA was rolled-over. Was it the root key that is present in the TAR files or the root RIPE CA or the hosted-CA keys?
I have no idea. I don't work at RIPE NCC anymore, but I would say you can get directly in contact with Nathalie and I'm pretty sure she'll be happy to follow up.
The CA for RIPE in the ripe repository was changed, the RIPE TAL is still the same. The validators will refetch all affected files and after that will be fine.
-
Claudio Jeker -
Massimiliano Stucchi -
Roque Gagliano