Hi all, it's me again. The switch is complete. Thank you all for your patience.
/Carlos On Mon, Apr 15, 2024 at 9:21 AM Carlos Martinez-Cagnazzo <carlosm3...@gmail.com> wrote: > > Hi all, > > We'll start in about 45 minutes. > > /Carlos > > On Mon, Apr 8, 2024 at 5:18 PM Carlos Martinez-Cagnazzo > <carlosm3...@gmail.com> wrote: > > > > Hello all, > > > > On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will > > be migrating from our current legacy RPKI CA system to a new > > Krill-based RPKI core. > > > > In most cases no action will be required on your part (see below for > > some special cases). What follows is a list of events that will take > > place at the mentioned time and that may be of interest to you. > > > > * Our TAL file won't change at this time. There is no need to > > change anything in your current RP configuration. > > > > * Our RTA certificate, while keeping the old key will point to a > > new manifest. > > > > From the outside, what RPs will see is the following sequence of events: > > > > * At some time T0 all our current servers (both RRDP and rsync) > > will be shut down, returning "connection refused '' for both http and > > rsync. > > * New values for the DNS records will be published (same names, > > different IPs). > > * At approximately T0+30min the servers listening on the new IPs > > will be started and will start serving the repository as produced by > > the new Krill-based system. > > * When they first connect, RPs will see a new RRDP session and will > > take it from there. > > > > We have tested this migration flow using a set of docker containers > > plus a DNS server container using dnsmasq server that allows us to > > modify records on the fly. In all the cases we tested this flow works > > just fine. > > > > We have tested this migration flow with the following RPs: > > > > * rpki-client from “latest” all the way back to 8.2. > > * routinator from “latest” all the way back to 0.8. > > * fort from “latest” all the way back to 1.5.0. > > > > What we have not tested: > > > > * RIPE rpki validator: it’s been deprecated for three years. You > > shouldn’t be running this and you know it :-) In any case, it should > > work. > > * OctoRPKI: also recently deprecated. > > * Rpki-prover. > > * RIPSTR. > > > > All of the above should work. However bear in mind the following: If > > you are running any of the above and you notice issues, just clear the > > local cache, launch a clean instance of your RP and you should be > > fine. > > > > We have set up a specific email inbox for this migration work: > > rpki-migrac...@lacnic.net. It will be closely monitored during April > > 15 and the following days. It will be phased out once we are confident > > all issues that may arise have been addressed. > > > > For those interested, the new servers are already online and can be > > used to validate. These can be reached at: > > > > * lb-us-mia.rrdp.lacnic.net > > * lb-us-southeast.rrdp.lacnic.net > > * lb-br-gru.rrdp.lacnic.net > > > > Don’t expect to see the exact same VRPs as you see now on our current > > production server as minor differences are expected. Don’t hardcode > > this either, as during the migration “rrdp.lacnic.net” will be made to > > point to these servers and eventually these names may change and/or > > new ones may be added. > > > > Thank you all! > > > > /Carlos > > > > -- > -- > ========================= > Carlos M. Martinez-Cagnazzo > http://cagnazzo.me > ========================= -- -- ========================= Carlos M. Martinez-Cagnazzo http://cagnazzo.me =========================
