On Fri, Jan 08, 2021 at 03:43:18PM +0100, Claudio Jeker wrote: > rpki-client is currently very strict about the ip ranges and as ranges in > certificates. If a child certificate has a uncovered range in its list it > is considered invalid and is removed from the pool (with it all the ROA > entries as well). > > Now rfc8360 relaxes this a bit and mentions that a ROA for 192.0.2.0/24 > is valid if that prefix is covered in all certs in the chain.
RFC 8360 makes a lot of sense OK job@
