[NLNOG] Fwd: [nznog] Removing the four stale TAL from the APNIC RPKI validation set.

Job Snijders job at ntt.net
Tue Feb 27 09:41:20 CET 2018


FYI

---------- Forwarded message ---------
From: George Michaelson <ggm at apnic.net>
Date: Tue, 27 Feb 2018 at 05:34
Subject: [nznog] Removing the four stale TAL from the APNIC RPKI validation
set.
To: <nznog at list.waikato.ac.nz>


Updating RPKI trust anchor configuration
-------------------------------------------------------

APNIC has completed the process of transitioning from its previous Resource
Public Key Infrastructure (RPKI) trust anchor arrangement to a new single
trust anchor configuration.  Each RIR will publish an 'all resources'
global trust anchor, under which its own regional resources (IP addresses
and ASNs) will be certified. APNICs trust anchor is one of the previous
five, which has been retained as the sole trust anchor  over all APNIC
resource certificate products.

If you are using relying-party software, such as the Dragon Research Labs
RPKI Toolkit, RPSTIR or the RIPE NCC’s RPKI Validator, you are advised to
update your software’s configuration to use only the current APNIC trust
anchor, rather than the set of five APNIC trust anchors that were
previously in use. The update is to remove four of the five: One has been
retained as the current live Trust Anchor. Note: this update is not
critical. However, if it is not done, the software will log or report
warnings about being unable to retrieve the trust anchors that are no
longer being used. All resources now validate under the single active trust
anchor and no orphan products are valid under the other prior trust anchors.

The current APNIC TAL is as follows:

------
rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RWSL61YAAYumEiU8z8
qH2ETVIL01ilxZlzIL9JYSORMN5Cmtf8V2JblIealSqgOTGjvSjEsiV73s67zYQI
7C/iSOb96uf3/s86NqbxDiFQGN8qG7RNcdgVuUlAidl8WxvLNI8VhqbAB5uSg/Mr
LeSOvXRja041VptAxIhcGzDMvlAJRwkrYK/Mo8P4E2rSQgwqCgae0ebY1CsJ3Cjf
i67C1nw7oXqJJovvXJ4apGmEv8az23OLC6Ki54Ul/E6xk227BFttqFV3YMtKx42H
cCcDVZZy01n7JjzvO8ccaXmHIgR7utnqhBRNNq5Xc5ZhbkrUsNtiJmrZzVlgU6Ou
0wIDAQAB
------


Configuring Relying Party Software
-----------------------------------------------

RIPE NCC RPKI Validator:  If you upgrade to RIPE validator
rpki-validator-app-2.24 the correct Trust Anchor is configured.  No further
work is required.

Dragon Research Labs Rcynic Validator:  If you run rcynic, you need to
remove all the TAL, TA or CER entries in rcynic.conf except ones which
point to apnic-rpki-root-iana-origin.cer or the related TAL. If you use the
trusted-certs/ directory, simply remove the four files which are named for
the non-APNIC RIR as follows:

cd /etc/trust-anchors # or wherever you place the TAL files
rm apnic-rpki-root-ripe-origin.tal
rm apnic-rpki-root-arin-origin.tal
rm apnic-rpki-root-lacnic-origin.tal
rm apnic-rpki-root-afrinic-origin.tal

RPSTIR  To modify an installed RPSTIR system, locate the
/usr/local/etc/rpstir  directory and remove all but the current live APNIC
TAL.

More information is in the attached PDF describing how to update the trust
anchor configuration in these three popular relying-partner software
systems.




-George
_______________________________________________
NZNOG mailing list
NZNOG at list.waikato.ac.nz
https://list.waikato.ac.nz/mailman/listinfo/nznog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nlnog.net/pipermail/nlnog/attachments/20180227/eff86631/attachment-0001.html>
-------------- next part --------------
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmJHx+2R3CKHF63+k+Gx+gIL3cMAFAlqU35oACgkQ+Gx+gIL3
cMClPw//QCTKzVU2A+ZBPv0lacVkhU4pZ3yudEFHyzbHeoPFSCo5IUN2h3PxgTnZ
/r7vBIMP7+5xreqpsSWd9zOIgU9EVz1SCvHsIVbxWk7aIKsGsVNhIWfQwdTMgurj
0MehHB0pMKuNbjGZlRezEI0PRLesGakC5BnVnkSt2Uvf3no3cRN0xjllTXn6A7ag
V50gnLZ9J+73MwFH7TyzqQGFpcx07/bxs3gkxgpSi3kHeZkHx5YbzEVibffc/6pQ
otFjQ97ltnBBJeGaKWSoC1070ukvxemoCVUC8AAYGAy8i8wnN9GBBzTp3lwspuiu
38ACaBlQeC8aKQPSvRoYQZW3dI1rNRZk1xonkF6rzGnRz2ymretXN2PMX1BEVfZv
TirI0QKAvcJC/IbKAMbHp0iwqb918tllNPb99XjOL065ORmOVbaZzWmrdX4Ss8cS
nwBeZ7VroSpY0C/5UQfPFXodD5BNa0olluJKFMQudQVTEUrtn/XCdCsmYpEv0U3n
uXW8+HO633vw9nlwZrRqjYpdqotAYcSOZdqBIfKoFT/wSts9nE5gc7b6sINu9uB/
vP+oiRjEqBSs98hig+xtkZ6zA4ujMt5dYfLRoAAt9m0DZG9t615MnRk3zL8bI3Ir
ir1SoDKfmhI00w2x6NiL5/nTMX2pl1St+WmVq0/0tFSvSt5so2g=
=gp/u
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: update-tal.pdf
Type: application/pdf
Size: 38687 bytes
Desc: not available
URL: <http://mailman.nlnog.net/pipermail/nlnog/attachments/20180227/eff86631/attachment-0001.pdf>


More information about the NLNOG mailing list