so i was trying to ensure i had a current set of TALs and was directed to
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/ripe-ncc-rpki-trust-anchor-structure
the supposed TAL at the bottom of the page is pretty creative. anyone
know what to do there?
i kinda hacked with emacs and get
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
but kinda expected an rrdp uri too
and, to add insult to injury, the APNIC web page with their TAL
https://www.apnic.net/community/security/resource-certification/
requires javascript!
not to mention the ARIN stupidity
as if we needed another exercise in bureaucrats making operations
painful. most operations of any size have internal departments
perfectly capable of doing that.
randy
i kinda hacked with emacs and get
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
btw this is not correct/useful anyway. it probably should be more like
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cer
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
I concur.
Four out of five RIR Trust Anchor Locators were recently updated to allow fetching the Trust Anchor via an HTTPS URI, further removing the dependence on rsync. Sadly, most TALs are not clearly published anywhere and I had to get them though GitHub issues and emails to be able to include them in the latest Routinator release.
These are what we believe to be the correct, up-to-date RPKI TALs:
https://github.com/NLnetLabs/routinator/tree/master/tals
You can find more discussion about this topic here:
https://github.com/NICMx/FORT-validator/issues/34
https://github.com/RIPE-NCC/rpki-validator-3/pull/215
RPA grief aside, ARIN seems to be the only RIR that publishes the latest version of their TAL clearly and correctly:
https://www.arin.net/resources/manage/rpki/tal/
-Alex
<rhetorical question>
why is it so hard that all RIRs make their TAL files available under
the same URL path but different hosts, e.g., https://ripe.net/rpki/tal,
https://arin.net/rpki/tal ?
</rhetorical question>
obviously, a single TAL would be better but this needs even more
rhetoric ...
cheers
matthias
why is it so hard that all RIRs make their TAL files available under
the same URL path but different hosts, e.g., https://ripe.net/rpki/tal,
https://www.arin.net/resources/manage/rpki/tal/ ?
no, you are supposed to get TRUST material from alex's secret stash.
sigh.
it should be a dnssec lookup of ripe.net, tls secured lookup, find a TAL
as defind in the RFCs, and fetch it via tls.
randy
https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)
looks great visually. stuffed in a dragon validator, just for qa.
thanks!
randy
Hi all,
We’ve also simplified our webpage:
https://afrinic.net/rpki/tal
And the URL to the TAL:
https://rpki.afrinic.net/tal/afrinic.tal
Cheers,
Amreesh Phokeer
AFRINIC