Empty RPKI repositories (and missing trust anchor certificate) published

Incident Report for RIPE NCC

Postmortem

On 7 January 2026 at 15:11 UTC, all objects were removed from both our RRDP and rsync RPKI repositories. At 15:20 UTC, the repository state was restored, and all objects were back.

At 15:08 UTC, we did a production deployment of our CA software on the first application node. We deploy one node at a time so that we have zero downtime during deployments. We carried out a database DDL change on the table storing published objects, which took roughly 40 seconds to execute. During those 40 seconds, the online node queried the published objects in order to publish them. This transaction had to wait for the table lock held by the DDL change to be released. When the lock was released, PostgreSQL returned zero rows. We learned that this is a known caveat [1]: after rewrite commits, the table will appear empty to concurrent transactions.

We will implement circuit breakers between all phases of our publication process to prevent this situation from happening in the future.

[1] - https://www.postgresql.org/docs/18/mvcc-caveats.html

Apologies for the inconvenience this has caused.

Posted Jan 08, 2026 - 16:29 CET

Resolved

This incident has been resolved. We'll follow up tomorrow with a RFO.

Posted Jan 07, 2026 - 17:11 CET

Update

This issues was triggered by a software release that contained a database change. This change caused our our systems to clear and re-publish the complete repository.

Posted Jan 07, 2026 - 16:42 CET

Monitoring

The initial incident has been resolved and we are monitoring the situation.

Posted Jan 07, 2026 - 16:28 CET

Identified

During a short time window (15:11 - 15:20 UTC) our RPKI systems published an empty set of data to the publication point. This propagated to both the rsync and RRDP endpoints.

We are investigating the situation and provide more information later.

Posted Jan 07, 2026 - 16:27 CET

This incident affected: RPKI (RRDP Repository, rsync Repository).