Study Reveals Small RPKI Publication Servers and Their Risks
Validate your ROAs and check BGP reachability; consider using RPKIaaS if you need independent control.
Validate your ROAs and check BGP reachability; consider using RPKIaaS if you need independent control.
Summary
A recent study examined the small RPKI publication servers that publish fewer than 1,300 ROA objects, revealing a long tail of independent operators behind the five Regional Internet Registries. The dataset, collected on 23 April 2026, contains 2,467 ROAs covering 3,778 prefixes across 1,163 ASes, with 91 % valid, 1.2 % invalid, and 7.6 % unknown. The largest server, r.magellan.ipxo.com, hosts 776 IPv4 prefixes, all BGP‑reachable, but 103 are at‑risk due to broad maxLength settings without full BGP coverage.
Other notable servers include repo.rpki.space, which shows spam‑infrastructure characteristics, and ca.nat.moe, where all 99 ROAs are unknown due to cryptographic validation failures. The study lists several motivations for running independent servers: offering RPKIaaS with a REST API, simplifying cross‑RIR management, conducting research or education, maintaining operational control, or simply learning. AWS’s RRDP servers were excluded because they use a distinct architecture. The findings underscore the importance of validating ROAs and ensuring BGP reachability for all published prefixes.
Key changes
- Small servers defined as <1,300 ROAs
- Dataset: 2,467 ROAs, 3,778 prefixes, 1,163 ASes
- 91% valid, 1.2% invalid, 7.6% unknown
- Largest server r.magellan.ipxo.com: 776 prefixes, 103 at‑risk
- repo.rpki.space flagged as spam infrastructure
- ca.nat.moe has 99 unknown objects due to validation failures
- Motivations: RPKIaaS, cross‑RIR, research, operational control, learning