Hello all,
On April 15th, 2024 starting approximately at 9.30am UTC-3 LACNIC will
be migrating from our current legacy RPKI CA system to a new
Krill-based RPKI core.
In most cases no action will be required on your part (see below for
some special cases). What follows is a list of events that will take
place at the mentioned time and that may be of interest to you.
* Our TAL file won't change at this time. There is no need to
change anything in your current RP configuration.
* Our RTA certificate, while keeping the old key will point to a
new manifest.
From the outside, what RPs will see is the following sequence of events:
* At some time T0 all our current servers (both RRDP and rsync)
will be shut down, returning "connection refused '' for both http and
rsync.
* New values for the DNS records will be published (same names,
different IPs).
* At approximately T0+30min the servers listening on the new IPs
will be started and will start serving the repository as produced by
the new Krill-based system.
* When they first connect, RPs will see a new RRDP session and will
take it from there.
We have tested this migration flow using a set of docker containers
plus a DNS server container using dnsmasq server that allows us to
modify records on the fly. In all the cases we tested this flow works
just fine.
We have tested this migration flow with the following RPs:
* rpki-client from “latest” all the way back to 8.2.
* routinator from “latest” all the way back to 0.8.
* fort from “latest” all the way back to 1.5.0.
What we have not tested:
* RIPE rpki validator: it’s been deprecated for three years. You
shouldn’t be running this and you know it 
In any case, it should
work.
* OctoRPKI: also recently deprecated.
* Rpki-prover.
* RIPSTR.
All of the above should work. However bear in mind the following: If
you are running any of the above and you notice issues, just clear the
local cache, launch a clean instance of your RP and you should be
fine.
We have set up a specific email inbox for this migration work:
rpki-migracion@lacnic.net. It will be closely monitored during April
15 and the following days. It will be phased out once we are confident
all issues that may arise have been addressed.
For those interested, the new servers are already online and can be
used to validate. These can be reached at:
* lb-us-mia.rrdp.lacnic.net
* lb-us-southeast.rrdp.lacnic.net
* lb-br-gru.rrdp.lacnic.net
Don’t expect to see the exact same VRPs as you see now on our current
production server as minor differences are expected. Don’t hardcode
this either, as during the migration “rrdp.lacnic.net” will be made to
point to these servers and eventually these names may change and/or
new ones may be added.
Thank you all!
/Carlos