[DBWG] issue report - AFRINIC RPKI intermediate CA overclaim

Tue Dec 12 07:50:04 UTC 2023

Hi Job,

We had some delays on the verification of the resources. 

We have now scheduled to re-issue afrinic-ca on Thursday 14th Dec, 2023. 

Regards,
David 

> On 11 Dec 2023, at 14:16, Job Snijders <job at fastly.com> wrote:
> 
> Dear David,
> 
> On Thu, Oct 26, 2023 at 04:40:49PM +0400, David Njuki wrote:
>> You are welcome :) 
>> 
>> We had initially considered to also add the correct listing for the
>> 196.0.0.0/7 but it needs more time for us to verify.
>> 
>> We’ll schedule to reissue the afrinic-ca.cer again as soon as this is
>> done. We’ll plan for this in early November. 
> 
> 
> Can you please share an update on the reissuance plans?
> 
> Kind regards,
> 
> Job
> 
> 
>> 
>> Regards,
>> David
>> 
>> 
>>> On 26 Oct 2023, at 13:18, Job Snijders <job at fastly.com> wrote:
>>> 
>>> Dear David,
>>> 
>>> On Thu, Oct 19, 2023 at 02:09:24PM +0400, David Njuki wrote:
>>>> We are planning to schedule it for next week Thursday, 26th October to
>>>> coincide with the next CRL update. 
>>> 
>>> Many thanks for the swift action. I now observe that 154.16.0.0/8 was
>>> split into the appropriate more-specifics.
>>> 
>>> I'm sorry to not have noticed before that a similar issue exists for the
>>> subordinate resource listing of 196.0.0.0/7. As I understand the RIR
>>> delegations, the following blocks are *not* managed by Afrinic:
>>> 
>>> 	196.1.1.0/24                 # APNIC
>>> 	196.1.68.0/24                # APNIC
>>> 	196.1.104.0 - 196.1.106.255  # APNIC
>>> 	196.1.108.0/22               # APNIC
>>> 	196.1.113.0 - 196.1.114.255  # APNIC
>>> 	196.1.134.0/24               # APNIC
>>> 	196.3.65.0/24                # APNIC
>>> 	196.3.72.0/24                # APNIC
>>> 	196.12.32.0/19               # APNIC
>>> 	196.15.16.0/20               # APNIC
>>> 	196.29.64.0/19               # LACNIC
>>> 	196.32.32.0/19               # LACNIC
>>> 	196.32.64.0/19               # LACNIC
>>> 	196.40.0.0 - 196.40.95.255   # LACNIC
>>> 
>>> So instead of listing 196.0.0.0/7, I believe the following should be
>>> listed as subordinate:
>>> 
>>> 	196.0.0.0 - 196.1.0.255
>>> 	196.1.2.0 - 196.1.67.255
>>> 	196.1.96.0/21
>>> 	196.1.107.0/24
>>> 	196.1.112.0/24
>>> 	196.1.115.0 - 196.1.133.255
>>> 	196.1.135.0 - 196.3.64.255
>>> 	196.3.66.0 - 196.3.71.255
>>> 	196.3.73.0 - 196.12.31.255
>>> 	196.12.64.0 - 196.15.15.255
>>> 	196.15.32.0 - 196.29.63.255
>>> 	196.32.96.0 - 196.39.255.255
>>> 	196.40.96.0 - 197.255.255.255
>>> 
>>> Please double-double-check the above suggestion! :-)
>>> 
>>> If you agree with the above assessment, can a new afrinic-ca.cer be
>>> issued? Hopefully this was the last overclaiming issue.
>>> 
>>> Kind regards,
>>> 
>>> Job
>> 