Resource Public Key Infrastructure (RPKI) is technology that is aimed at making the Border Gateway Protocol (BGP) more secure. NLnet Labs is developing a comprehensive set of free, open source tools to generate, publish and validate RPKI data. This project is funded by the Internet community.

RPKI is based on open standards and works by providing network operators a way to perform Route Origin Validation. Using the system, the legitimate holder of a block of IP addresses can make an authoritative statement about which Autonomous System (AS) is authorised to originate their IP prefix in BGP. In turn, other network operators can download and validate these statements and make routing decisions based on them.

For more information on how RPKI works, please refer to the documentation on Read the Docs.


The NLnet Labs RPKI toolset consists of two major projects: Krill, an RPKI Certificate Authority, as well as Routinator, a Relying Party software package.

Our mission is to offer software that is on par with our other projects, such as NSD and Unbound, in terms of quality, feature set and update frequency. Because we believe in transparent development, all components, including documentation and associated libraries, are publicly available on GitHub. The project is built exclusively in the Rust programming language.


Krill is the RPKI Certificate Authority (CA) and Publication Server daemon. It allows organisations to run RPKI on their own systems as a child of one or more Regional Internet Registries (RIRs), i.e. APNIC, AFRINIC, ARIN, LACNIC and RIPE NCC. Krill can also run under a different parent, such as a National Internet Registry (NIR) or Enterprise and, in turn, act as a parent for other CAs.

Using Krill, operators can generate their own RPKI cryptographic material, instead of relying on the hosted systems that the five RIRs provide. With the included Publication Server, operators can publish RPKI data themselves or let a third party, such as a Content Delivery Network, do it on their behalf.


Routinator is Relying Party software, also known as RPKI Validator. Operators can use it to download and validate the global RPKI data set and feed the result into their routers, or use it elsewhere in the BGP decision making process. Routinator has frequent releases and is actively being used in production environments.


For general discussion and exchanging operational experiences we provide a mailing list. This is also the place where we will announce releases of the applications and updates on the project. If you are interested in deploying our software or you would like more information, please do not hestitate to contact us.