HeadlinesBriefing favicon HeadlinesBriefing.com

Who runs tiny RPKI servers?

Hacker News •
×

The Internet's Border Gateway Protocol (BGP) lacks inherent trust, making it vulnerable to prefix hijacks. Resource Public Key Infrastructure (RPKI) aims to solve this by enabling IP address holders to cryptographically authorize which Autonomous System (AS) can originate their prefixes via Route Origin Authorizations (ROAs). While major Regional Internet Registries (RIRs) like ARIN, RIPE NCC, APNIC, LACNIC, and AFRINIC handle most ROAs, numerous smaller, independently operated publication servers also contribute to the global RPKI dataset.

These "small" servers, defined as announcing fewer than 1,300 ROA objects, are run by entities including cloud providers, ISPs, hobbyists, and RPKI as a Service (RPKIaa S) companies. They exist for various reasons: RPKIaa S providers offer managed services, organizations with multi-RIR allocations seek cross-RIR simplicity, and academic institutions or individuals may run servers for research, experimentation, or simply to deepen their understanding of Internet routing infrastructure.

Research analyzing data from April 23, 2026, revealed 3,778 ROA objects across 1,163 unique ASes. Of these, 3,444 (91%) were valid, 48 (1.2%) invalid, and 286 (7.6%) unknown. While the covered IP space might seem small in percentage, it includes critical services, and the failure of these smaller servers could render parts of the Internet unverifiable for some users.