Register ROA/RPKI with RIR

To register a ROA/RPKI (Route Origin Authorization / Resource Public Key Infrastructure) with a RIR (Regional Internet Registry) for the purpose of enabling BYOIP (Bring Your Own IP) on zenConsole, you need to validate your IP ownership and publishing your ROAs (Route Origin Authorizations).

Prerequisites

Make sure your IPv4 addresses are allocated to you by your RIR (ARIN, RIPE NCC, APNIC, LACNIC, or AFRINIC).
Prepare your ASN (Autonomous System Number) that will announce the IPv4 block, and ASN of Zenlayer elastic compute service is “62610”.
RPKI/ROA validation is required to prevent route hijacking.

Procedures

Generate an RSA Private Key and Self-Signed X.509 Certificate

To create an RSA private key and a self-signed X.509 certificate, you can use the following OpenSSL commands:

openssl genpkey -aes256 -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out private-key.pem
openssl req -new -x509 -key private-key.pem -out certificate.pem -days 365

During the execution of these commands, you will be prompted to set a password for the private key and provide certificate information, including:

Country Name (C): Your country code (e.g., US for the United States).
State or Province Name (ST): The full name of your state or province.
Locality Name (L): Your city.
Organization Name (O): The name of your organization.
Organizational Unit Name (OU): The name of your organizational unit.
Common Name (CN): The fully qualified domain name (FQDN) for which you're generating the certificate (e.g., www.example.com).

This process will generate two files:

private-key.pem: The RSA private key.
certificate.pem: The self-signed X.509 certificate.

Upload the Certificate to Your RIR's RDAP Record

After generating the certificate, you need to upload it to your RIR's RDAP record:

Log in to your RIR's member portal (e.g., ARIN, RIPE NCC, APNIC, etc.).
- ARIN: https://www.arin.net
- RIPE NCC: https://www.ripe.net
- APNIC: https://www.apnic.net
- LACNIC: https://www.lacnic.net
- AFRINIC: https://www.afrinic.net
Navigate to the IPv4 prefix object that you wish to update.
Edit the object's remarks field.
Paste the contents of certificate.pem into the remarks field.
Submit the changes.

This action will associate your self-signed certificate with your IPv4 prefix in the RIR's RDAP record.

Create a ROA

A ROA is a cryptographic attestation that your ASN is authorized to announce a specific IP prefix.

Determine your ASN (Autonomous System Number) that will announce the IPv4 block.
Navigate to the RPKI/ROA management section in the RIR portal, for example:
- ARIN: “Resource Certificates / ROA”
- RIPE NCC: “RPKI” → “Create ROA”
- APNIC: “RPKI Manager”
Create a ROA:
- Prefix: the IPv4 block you want to bring to zenConsole.
- Max length: usually matches your prefix length (e.g., /24 for IPv4).
- Origin ASN: the ASN that will announce the prefix, either yours or a cloud-provided ASN if required (ASN of Zenlayer is “65534”).

Publish the ROA

Once the ROA is created, it will be digitally signed and published in the RPKI repository. Most cloud providers periodically validate ROAs against the global RPKI repository.

Verify ROA Propagation

Use tools like:

RIPEstat: https://stat.ripe.net/
RPKI Validator: https://rpki-validator.ripe.net/ui/

Ensure the ROA shows as valid for the prefix and ASN.

Note

Make sure your ROA covers the exact prefix length you plan to announce. Mismatched max length can cause validation failures.
ROA creation can take minutes to hours to propagate in RPKI caches.

What to Do Next

Go to zenConsole to advertise BYOIP. Submit the ROA information and ASN along with the IPV4 prefixes. We will validate the RPKI/ROA before activating BYOIP.

PreviousAdvertise BYOIP NextCreate a Global VPC

Last updated 9 days ago