From: Job Snijders Subject: Re: etc/rpki: add ARIN TAL To: Theo Buehler Cc: tech@openbsd.org Date: Thu, 16 Jan 2025 20:09:53 +0000 On Thu, Jan 16, 2025 at 08:38:03PM +0100, Theo Buehler wrote: > On Thu, Jan 16, 2025 at 07:33:44PM +0000, Job Snijders wrote: > > Dear all, > > > > ARIN revised their Trust Anchor Locator, their TAL now includes a > > BSD-style disclaimer of warranties in the optional comment section. > > > > https://www.arin.net/announcements/20250116-tal/ > > > > OK? > > Unbelievable. Needs a matching entry in distrib/sets/lists/base/mi > > ok tb Ah, thanks! Perhaps we should also update the rpki-client(8) man page? Index: ./distrib/sets/lists/base/mi =================================================================== RCS file: /cvs/src/distrib/sets/lists/base/mi,v diff -u -p -r1.1152 mi --- ./distrib/sets/lists/base/mi 10 Dec 2024 08:41:46 -0000 1.1152 +++ ./distrib/sets/lists/base/mi 16 Jan 2025 20:08:50 -0000 @@ -297,6 +297,7 @@ ./etc/rpki/apnic.constraints ./etc/rpki/apnic.tal ./etc/rpki/arin.constraints +./etc/rpki/arin.tal ./etc/rpki/lacnic.constraints ./etc/rpki/lacnic.tal ./etc/rpki/ripe.constraints Index: etc/rpki/arin.tal =================================================================== RCS file: etc/rpki/arin.tal diff -N etc/rpki/arin.tal --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ etc/rpki/arin.tal 16 Jan 2025 20:08:50 -0000 @@ -0,0 +1,20 @@ +# THIS TRUST ANCHOR LOCATOR IS PROVIDED BY THE AMERICAN REGISTRY FOR +# INTERNET NUMBERS (ARIN) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL ARIN BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS PUBLIC KEY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +https://rrdp.arin.net/arin-rpki-ta.cer +rsync://rpki.arin.net/repository/arin-rpki-ta.cer + +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3lZPjbHvMRV5sDDqfLc/685th5Fn +reHMJjg8pEZUbG8Y8TQxSBsDebbsDpl3Ov3Cj1WtdrJ3CIfQODCPrrJdOBSrMATeUbPC+JlN +f2SRP3UB+VJFgtTj0RN8cEYIuhBW5t6AxQbHhdNQH+A1F/OJdw0q9da2U29Lx85nfFxvnC1E +pK9CbLJS4m37+RlpNbT1cba+b+loXpx0Qcb1C4UpJCGDy7uNf5w6/+l7RpATAHqqsX4qCtww +DYlbHzp2xk9owF3mkCxzl0HwncO+sEHHeaL3OjtwdIGrRGeHi2Mpt+mvWHhtQqVG+51MHTyg ++nIjWFKKGx1Q9+KDx4wJStwveQIDAQAB Index: etc/Makefile =================================================================== RCS file: /cvs/src/etc/Makefile,v diff -u -p -r1.490 Makefile --- etc/Makefile 30 Jun 2024 17:30:54 -0000 1.490 +++ etc/Makefile 16 Jan 2025 20:08:50 -0000 @@ -156,8 +156,8 @@ distribution-etc-root-var: distrib-dirs ${DESTDIR}/etc/ppp cd rpki; \ ${INSTALL} -c -o root -g wheel -m 644 \ - afrinic.tal apnic.tal lacnic.tal ripe.tal \ - arin.constraints afrinic.constraints apnic.constraints \ + afrinic.tal apnic.tal arin.tal lacnic.tal ripe.tal \ + afrinic.constraints apnic.constraints arin.constraints \ lacnic.constraints ripe.constraints \ ${DESTDIR}/etc/rpki cd examples; \ Index: usr.sbin/rpki-client/rpki-client.8 =================================================================== RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v diff -u -p -r1.119 rpki-client.8 --- usr.sbin/rpki-client/rpki-client.8 3 Jan 2025 10:32:21 -0000 1.119 +++ usr.sbin/rpki-client/rpki-client.8 16 Jan 2025 20:08:50 -0000 @@ -303,6 +303,7 @@ URL of HTTP proxy to use. default TAL files used unless .Fl t Ar tal is specified. +The TAL files of the five Regional Internet Registries are included. .It Pa /etc/rpki/*.constraints files containing registry-specific constraints to restrict what IP addresses and AS identifiers may or may not appear in EE certificates subordinate to the @@ -316,11 +317,6 @@ cached repository data. .It Pa /var/db/rpki-client/openbgpd default roa-set output file. .El -.Pp -All the top-level TAL are included, except the ARIN TAL which is not -made available with terms compatible with open source. -That public key is treated as a proprietary object in a lengthy legal -agreement regarding ARIN service restrictions. .Sh EXIT STATUS .Ex -std .Sh SEE ALSO