NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
296 stars 42 forks source link

BPKI validation behaviour #1204

Open tomhrr opened 5 months ago

tomhrr commented 5 months ago

Per mail to the mailing list, APNIC's BPKI TA (used for both provisioning and publication) will expire in mid-July of this year. While it is possible in Krill to update the TA used for the provisioning protocol, there is no option for that in the publication protocol, and since the current behaviour doesn't take account of the BPKI TA expiry date, we've advised our users that no action is required here (see https://orbit.apnic.net/hyperkitty/list/apnic-services@apnic.net/thread/CE4FTANNG46SCPXYXIKWAGJUQFLRVSKE/). This is just a note to say that if the BPKI validation behaviour changes in the future, it would be a good idea either to grandfather any existing provisioning/publication protocol links so that they continue to work as they do today, or to notify the user in some way where they are relying on an expired TA and that they should get an updated TA before updating Krill.