This is really neat. The design Junos had supported this day0, so it was really little work to expose it to users. I think Juniper developers immediately saw when delivering this feature that it can double as an arbitrary prefix-list delivery mechanism. Asking IOS-XR to support this would be quite a big change on their end. And I suspect the same is true for most vendors. So while I really like this, I don't think it'll be an option to me, due to multivendor network. On Tue, 17 Mar 2026 at 13:10, Martin Tonusoo via NANOG <nanog@lists.nanog.org> wrote:
Hi.
A short follow-up. I noticed that newer Junos releases allow to install validation records from a specific RTR session to a designated named validation database and, for example, this enables a setup where RTBH prefixes are not rejected if the RTR sessions for RTBH routes are down.
I modified the script generating the JSON file for RTRTR in a way that routers always have "0.0.0.0/0-32 ASN 0" and "::/0-128 ASN 0" validation records besides possible /32 v4 and /128 v6 RTBH validation records in validation database named "rtbh". The RTBH check in the BGP import policies list was moved back before the RPKI check. As an example, the RTBH check for v6 can be seen below:
root@vjr-17> show configuration policy-options policy-statement ipt-rtbh-v6 term reject-blackhole-rpki-invalid { from { family inet6; protocol bgp; community blackhole; validation-database-instance { database-name rtbh; state invalid; } } then { validation-state invalid; reject; } } term accept-blackhole-rpki-valid { from { family inet6; protocol bgp; community blackhole; validation-database-instance { database-name rtbh; state valid; } } then { local-preference 170; validation-state valid; origin igp; /* requires accept-remote-nexthop */ next-hop 100::1; accept; } } /* fallback if RTBH RTR sessions are down */ term accept-blackhole-rpki-unknown { from { family inet6; protocol bgp; community blackhole; validation-database-instance { database-name rtbh; state unknown; } route-filter ::/0 prefix-length-range /128-/128; } then { local-preference 170; validation-state unknown; origin igp; next-hop 100::1; accept; } } term reject-blackhole { from { family inet6; protocol bgp; community blackhole; } then reject; } then next policy;
root@vjr-17>
In summary, if the v6 blackhole prefix does not have a /128 entry in "rtbh" validation database, then it will be rejected thanks to "::/0-128 ASN 0" VRP. If the validation check is valid or unknown, then the /128 blackhole prefix is accepted.
I uploaded the configuration files here: https://gist.github.com/tonusoo/3e3cc16fe2008fcb9b47aa6e4831c73d
Martin _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/C65BRDKO...
-- ++ytti