From: Claudio Jeker Subject: Re: etc/rpki: add ARIN TAL To: Job Snijders Cc: Theo Buehler , tech@openbsd.org Date: Thu, 16 Jan 2025 21:14:33 +0100 On Thu, Jan 16, 2025 at 08:09:53PM +0000, Job Snijders wrote: > On Thu, Jan 16, 2025 at 08:38:03PM +0100, Theo Buehler wrote: > > On Thu, Jan 16, 2025 at 07:33:44PM +0000, Job Snijders wrote: > > > Dear all, > > > > > > ARIN revised their Trust Anchor Locator, their TAL now includes a > > > BSD-style disclaimer of warranties in the optional comment section. > > > > > > https://www.arin.net/announcements/20250116-tal/ > > > > > > OK? > > > > Unbelievable. Needs a matching entry in distrib/sets/lists/base/mi > > > > ok tb > > Ah, thanks! > > Perhaps we should also update the rpki-client(8) man page? > > Index: ./distrib/sets/lists/base/mi > =================================================================== > RCS file: /cvs/src/distrib/sets/lists/base/mi,v > diff -u -p -r1.1152 mi > --- ./distrib/sets/lists/base/mi 10 Dec 2024 08:41:46 -0000 1.1152 > +++ ./distrib/sets/lists/base/mi 16 Jan 2025 20:08:50 -0000 > @@ -297,6 +297,7 @@ > ./etc/rpki/apnic.constraints > ./etc/rpki/apnic.tal > ./etc/rpki/arin.constraints > +./etc/rpki/arin.tal > ./etc/rpki/lacnic.constraints > ./etc/rpki/lacnic.tal > ./etc/rpki/ripe.constraints > Index: etc/rpki/arin.tal > =================================================================== > RCS file: etc/rpki/arin.tal > diff -N etc/rpki/arin.tal > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ etc/rpki/arin.tal 16 Jan 2025 20:08:50 -0000 > @@ -0,0 +1,20 @@ > +# THIS TRUST ANCHOR LOCATOR IS PROVIDED BY THE AMERICAN REGISTRY FOR > +# INTERNET NUMBERS (ARIN) "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, > +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF > +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > +# IN NO EVENT SHALL ARIN BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, > +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT > +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE > +# OF THIS PUBLIC KEY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > +https://rrdp.arin.net/arin-rpki-ta.cer > +rsync://rpki.arin.net/repository/arin-rpki-ta.cer > + > +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3lZPjbHvMRV5sDDqfLc/685th5Fn > +reHMJjg8pEZUbG8Y8TQxSBsDebbsDpl3Ov3Cj1WtdrJ3CIfQODCPrrJdOBSrMATeUbPC+JlN > +f2SRP3UB+VJFgtTj0RN8cEYIuhBW5t6AxQbHhdNQH+A1F/OJdw0q9da2U29Lx85nfFxvnC1E > +pK9CbLJS4m37+RlpNbT1cba+b+loXpx0Qcb1C4UpJCGDy7uNf5w6/+l7RpATAHqqsX4qCtww > +DYlbHzp2xk9owF3mkCxzl0HwncO+sEHHeaL3OjtwdIGrRGeHi2Mpt+mvWHhtQqVG+51MHTyg > ++nIjWFKKGx1Q9+KDx4wJStwveQIDAQAB > Index: etc/Makefile > =================================================================== > RCS file: /cvs/src/etc/Makefile,v > diff -u -p -r1.490 Makefile > --- etc/Makefile 30 Jun 2024 17:30:54 -0000 1.490 > +++ etc/Makefile 16 Jan 2025 20:08:50 -0000 > @@ -156,8 +156,8 @@ distribution-etc-root-var: distrib-dirs > ${DESTDIR}/etc/ppp > cd rpki; \ > ${INSTALL} -c -o root -g wheel -m 644 \ > - afrinic.tal apnic.tal lacnic.tal ripe.tal \ > - arin.constraints afrinic.constraints apnic.constraints \ > + afrinic.tal apnic.tal arin.tal lacnic.tal ripe.tal \ > + afrinic.constraints apnic.constraints arin.constraints \ > lacnic.constraints ripe.constraints \ > ${DESTDIR}/etc/rpki > cd examples; \ > Index: usr.sbin/rpki-client/rpki-client.8 > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/rpki-client.8,v > diff -u -p -r1.119 rpki-client.8 > --- usr.sbin/rpki-client/rpki-client.8 3 Jan 2025 10:32:21 -0000 1.119 > +++ usr.sbin/rpki-client/rpki-client.8 16 Jan 2025 20:08:50 -0000 > @@ -303,6 +303,7 @@ URL of HTTP proxy to use. > default TAL files used unless > .Fl t Ar tal > is specified. > +The TAL files of the five Regional Internet Registries are included. > .It Pa /etc/rpki/*.constraints > files containing registry-specific constraints to restrict what IP addresses > and AS identifiers may or may not appear in EE certificates subordinate to the > @@ -316,11 +317,6 @@ cached repository data. > .It Pa /var/db/rpki-client/openbgpd > default roa-set output file. > .El > -.Pp > -All the top-level TAL are included, except the ARIN TAL which is not > -made available with terms compatible with open source. > -That public key is treated as a proprietary object in a lengthy legal > -agreement regarding ARIN service restrictions. > .Sh EXIT STATUS > .Ex -std > .Sh SEE ALSO > Lovely, OK claudio@ -- :wq Claudio