nanog mailing list archives
Re: RPKI TAs
From: Alex Band <alex () nlnetlabs nl>
Date: Mon, 3 Aug 2020 10:08:51 +0200
I concur. Four out of five RIR Trust Anchor Locators were recently updated to allow fetching the Trust Anchor via an HTTPS URI, further removing the dependence on rsync. Sadly, most TALs are not clearly published anywhere and I had to get them though GitHub issues and emails to be able to include them in the latest Routinator release. These are what we believe to be the correct, up-to-date RPKI TALs: https://github.com/NLnetLabs/routinator/tree/master/tals You can find more discussion about this topic here: https://github.com/NICMx/FORT-validator/issues/34 https://github.com/RIPE-NCC/rpki-validator-3/pull/215 RPA grief aside, ARIN seems to be the only RIR that publishes the latest version of their TAL clearly and correctly: https://www.arin.net/resources/manage/rpki/tal/ -Alex
On 2 Aug 2020, at 20:52, Randy Bush <randy () psg com> wrote: so i was trying to ensure i had a current set of TALs and was directed to https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure the supposed TAL at the bottom of the page is pretty creative. anyone know what to do there? i kinda hacked with emacs and get rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB but kinda expected an rrdp uri too and, to add insult to injury, the APNIC web page with their TAL https://www.apnic.net/community/security/resource-certification/ requires javascript! not to mention the ARIN stupidity as if we needed another exercise in bureaucrats making operations painful. most operations of any size have internal departments perfectly capable of doing that. randy
Current thread:
- RPKI TAs Randy Bush (Aug 02)
- Re: RPKI TAs Randy Bush (Aug 02)
- Re: RPKI TAs Alex Band (Aug 03)
- Re: RPKI TAs Matthias Waehlisch (Aug 03)
- Re: RPKI TAs Randy Bush (Aug 03)
- Re: RPKI TAs Matthias Waehlisch (Aug 03)
- Re: RPKI TAs Nathalie Trenaman (Aug 06)
- Re: RPKI TAs Randy Bush (Aug 06)
- Re: RPKI TAs Amreesh Phokeer (Aug 12)
- Re: RPKI TAs Randy Bush (Aug 12)
- Re: RPKI TAs Randy Bush (Aug 06)
- <Possible follow-ups>
- Re: RPKI TAs John Kristoff (Aug 03)
- Re: RPKI TAs Job Snijders (Aug 03)
- Re: RPKI TAs Owen DeLong (Aug 03)
- Re: RPKI TAs Matt Corallo (Aug 03)
- Re: RPKI TAs Job Snijders (Aug 03)