Index | Thread | Search

From:
Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject:
Re: etc/rpki: add ARIN TAL
To:
Job Snijders <job@openbsd.org>
Cc:
Theo Buehler <tb@theobuehler.org>, tech@openbsd.org
Date:
Thu, 16 Jan 2025 21:14:33 +0100

Download raw body.

Thread 
On Thu, Jan 16, 2025 at 08:09:53PM +0000, Job Snijders wrote:
> On Thu, Jan 16, 2025 at 08:38:03PM +0100, Theo Buehler wrote:
> > On Thu, Jan 16, 2025 at 07:33:44PM +0000, Job Snijders wrote:
> > > Dear all,
> > > 
> > > ARIN revised their Trust Anchor Locator, their TAL now includes a
> > > BSD-style disclaimer of warranties in the optional comment section.
> > > 
> > > https://www.arin.net/announcements/20250116-tal/
> > > 
> > > OK?
> > 
> > Unbelievable.  Needs a matching entry in distrib/sets/lists/base/mi
> >
> > ok tb
> 
> Ah, thanks!
> 
> Perhaps we should also update the rpki-client(8) man page?
> 
> Index: ./distrib/sets/lists/base/mi
> ===================================================================
> RCS file: /cvs/src/distrib/sets/lists/base/mi,v
> diff -u -p -r1.1152 mi
> --- ./distrib/sets/lists/base/mi	10 Dec 2024 08:41:46 -0000	1.1152
> +++ ./distrib/sets/lists/base/mi	16 Jan 2025 20:08:50 -0000
> @@ -297,6 +297,7 @@
>  ./etc/rpki/apnic.constraints
>  ./etc/rpki/apnic.tal
>  ./etc/rpki/arin.constraints
> +./etc/rpki/arin.tal
>  ./etc/rpki/lacnic.constraints
>  ./etc/rpki/lacnic.tal
>  ./etc/rpki/ripe.constraints
> Index: etc/rpki/arin.tal
> ===================================================================
> RCS file: etc/rpki/arin.tal
> diff -N etc/rpki/arin.tal
> --- /dev/null	1 Jan 1970 00:00:00 -0000
> +++ etc/rpki/arin.tal	16 Jan 2025 20:08:50 -0000
> @@ -0,0 +1,20 @@
> +# THIS TRUST ANCHOR LOCATOR IS PROVIDED BY THE AMERICAN REGISTRY FOR
> +# INTERNET NUMBERS (ARIN) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
> +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
> +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> +# IN NO EVENT SHALL ARIN BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
> +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
> +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> +# OF THIS PUBLIC KEY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> +https://rrdp.arin.net/arin-rpki-ta.cer
> +rsync://rpki.arin.net/repository/arin-rpki-ta.cer
> +
> +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3lZPjbHvMRV5sDDqfLc/685th5Fn
> +reHMJjg8pEZUbG8Y8TQxSBsDebbsDpl3Ov3Cj1WtdrJ3CIfQODCPrrJdOBSrMATeUbPC+JlN
> +f2SRP3UB+VJFgtTj0RN8cEYIuhBW5t6AxQbHhdNQH+A1F/OJdw0q9da2U29Lx85nfFxvnC1E
> +pK9CbLJS4m37+RlpNbT1cba+b+loXpx0Qcb1C4UpJCGDy7uNf5w6/+l7RpATAHqqsX4qCtww
> +DYlbHzp2xk9owF3mkCxzl0HwncO+sEHHeaL3OjtwdIGrRGeHi2Mpt+mvWHhtQqVG+51MHTyg
> ++nIjWFKKGx1Q9+KDx4wJStwveQIDAQAB
> Index: etc/Makefile
> ===================================================================
> RCS file: /cvs/src/etc/Makefile,v
> diff -u -p -r1.490 Makefile
> --- etc/Makefile	30 Jun 2024 17:30:54 -0000	1.490
> +++ etc/Makefile	16 Jan 2025 20:08:50 -0000
> @@ -156,8 +156,8 @@ distribution-etc-root-var: distrib-dirs
>  		    ${DESTDIR}/etc/ppp
>  	cd rpki; \
>  		${INSTALL} -c -o root -g wheel -m 644 \
> -		    afrinic.tal apnic.tal lacnic.tal ripe.tal \
> -		    arin.constraints afrinic.constraints apnic.constraints \
> +		    afrinic.tal apnic.tal arin.tal lacnic.tal ripe.tal \
> +		    afrinic.constraints apnic.constraints arin.constraints \
>  		    lacnic.constraints ripe.constraints \
>  		    ${DESTDIR}/etc/rpki
>  	cd examples; \
> Index: usr.sbin/rpki-client/rpki-client.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v
> diff -u -p -r1.119 rpki-client.8
> --- usr.sbin/rpki-client/rpki-client.8	3 Jan 2025 10:32:21 -0000	1.119
> +++ usr.sbin/rpki-client/rpki-client.8	16 Jan 2025 20:08:50 -0000
> @@ -303,6 +303,7 @@ URL of HTTP proxy to use.
>  default TAL files used unless
>  .Fl t Ar tal
>  is specified.
> +The TAL files of the five Regional Internet Registries are included.
>  .It Pa /etc/rpki/*.constraints
>  files containing registry-specific constraints to restrict what IP addresses
>  and AS identifiers may or may not appear in EE certificates subordinate to the
> @@ -316,11 +317,6 @@ cached repository data.
>  .It Pa /var/db/rpki-client/openbgpd
>  default roa-set output file.
>  .El
> -.Pp
> -All the top-level TAL are included, except the ARIN TAL which is not
> -made available with terms compatible with open source.
> -That public key is treated as a proprietary object in a lengthy legal
> -agreement regarding ARIN service restrictions.
>  .Sh EXIT STATUS
>  .Ex -std
>  .Sh SEE ALSO
> 

Lovely, OK claudio@

-- 
:wq Claudio