Re: [swinog] Fwd: [routing-wg] RPKI Outage Post-Mortem
On Tue, Feb 25, 2020 at 04:04:33PM +0100, Massimiliano Stucchi wrote: > > Hi Roque, > > On 25/02/2020 15:45, Roque Gagliano wrote: > > Hi Massimiliano, > > > > It would be nice to clarify which CA was rolled-over. Was it the root > > key that is present in the TAR files or the root RIPE CA or the > > hosted-CA keys? > > I have no idea. I don't work at RIPE NCC anymore, but I would say you > can get directly in contact with Nathalie and I'm pretty sure she'll be > happy to follow up. > The CA for RIPE in the ripe repository was changed, the RIPE TAL is still the same. The validators will refetch all affected files and after that will be fine. -- :wq Claudio ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Fwd: [routing-wg] RPKI Outage Post-Mortem
Hi Roque, On 25/02/2020 15:45, Roque Gagliano wrote: > Hi Massimiliano, > > It would be nice to clarify which CA was rolled-over. Was it the root > key that is present in the TAR files or the root RIPE CA or the > hosted-CA keys? I have no idea. I don't work at RIPE NCC anymore, but I would say you can get directly in contact with Nathalie and I'm pretty sure she'll be happy to follow up. Ciao! -- Massimiliano Stucchi MS16801-RIPE Twitter/Telegram: @stucchimax signature.asc Description: OpenPGP digital signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Fwd: [routing-wg] RPKI Outage Post-Mortem
Hi Massimiliano, It would be nice to clarify which CA was rolled-over. Was it the root key that is present in the TAR files or the root RIPE CA or the hosted-CA keys? Regards, Roque On Tue, Feb 25, 2020 at 3:31 PM Massimiliano Stucchi wrote: > > If you're not on the routing-wg mailing list, there's something you > should know > > > Forwarded Message > Subject: [routing-wg] RPKI Outage Post-Mortem > Date: Tue, 25 Feb 2020 15:12:15 +0100 > From: Nathalie Trenaman > To: routing...@ripe.net > > Dear colleagues, > > From Saturday 22 February at 08:24 (CET), any newly created, modified, > or deleted ROAs (176 in total) could not be added to our publication > server due to a disk problem. From that moment on, all the data was > stored on the database, but the publication did not happen. The disk did > not report any problems and, therefore, no engineer was alerted of this > incident. > > Due to the disk problem, starting from Sunday 23 February at 09:10 > (CET), our CRL expired and our repository could not be properly updated. > This was reported to us on Monday 24 February at 11:44 (CET). > Immediately, our engineers fixed the disk problem, however, since the > CRL expired, all underlying objects also expired. Depending on the > Relying Party software an operator used, this abnormal behaviour > appeared differently. > > Initially, our engineers tried to do a full re-population of the RPKI > repository, but unfortunately, this did not update the CRL in the > validation tree. At 15:03 (CET), we performed a full CA key-roll, which > was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET), > all objects in the backlog were published. > > We apologise for any inconvenience this may have caused and we are > taking all the necessary steps to ensure this incident does not appear > again in the future. > > Kind regards, > > Nathalie Trenaman > Routing Security Programme Manager > RIPE NCC > > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog > -- At least I did something Don Draper - Mad Men ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] Fwd: [routing-wg] RPKI Outage Post-Mortem
If you're not on the routing-wg mailing list, there's something you should know Forwarded Message Subject: [routing-wg] RPKI Outage Post-Mortem Date: Tue, 25 Feb 2020 15:12:15 +0100 From: Nathalie Trenaman To: routing...@ripe.net Dear colleagues, From Saturday 22 February at 08:24 (CET), any newly created, modified, or deleted ROAs (176 in total) could not be added to our publication server due to a disk problem. From that moment on, all the data was stored on the database, but the publication did not happen. The disk did not report any problems and, therefore, no engineer was alerted of this incident. Due to the disk problem, starting from Sunday 23 February at 09:10 (CET), our CRL expired and our repository could not be properly updated. This was reported to us on Monday 24 February at 11:44 (CET). Immediately, our engineers fixed the disk problem, however, since the CRL expired, all underlying objects also expired. Depending on the Relying Party software an operator used, this abnormal behaviour appeared differently. Initially, our engineers tried to do a full re-population of the RPKI repository, but unfortunately, this did not update the CRL in the validation tree. At 15:03 (CET), we performed a full CA key-roll, which was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET), all objects in the backlog were published. We apologise for any inconvenience this may have caused and we are taking all the necessary steps to ensure this incident does not appear again in the future. Kind regards, Nathalie Trenaman Routing Security Programme Manager RIPE NCC signature.asc Description: OpenPGP digital signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
