'Removing the four stale TAL from the APNIC RPKI validation set.'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    Removing the four stale TAL from the APNIC RPKI validation set.
From:       George Michaelson <ggm () apnic ! net>
Date:       2018-02-27 4:44:41
Message-ID: 64163AA3-B6FD-447F-9DC0-A05AF0B9A290 () apnic ! net
[Download RAW message or body]

Updating RPKI trust anchor configuration
-------------------------------------------------------

APNIC has completed the process of transitioning from its previous Resource Public \
Key Infrastructure (RPKI) trust anchor arrangement to a new single trust anchor \
configuration.  Each RIR will publish an 'all resources' global trust anchor, under \
which its own regional resources (IP addresses and ASNs) will be certified. APNICs \
trust anchor is one of the previous five, which has been retained as the sole trust \
anchor  over all APNIC resource certificate products.

If you are using relying-party software, such as the Dragon Research Labs RPKI \
Toolkit, RPSTIR or the RIPE NCC's RPKI Validator, you are advised to update your \
software's configuration to use only the current APNIC trust anchor, rather than the \
set of five APNIC trust anchors that were previously in use. The update is to remove \
four of the five: One has been retained as the current live Trust Anchor. Note: this \
update is not critical. However, if it is not done, the software will log or report \
warnings about being unable to retrieve the trust anchors that are no longer being \
used. All resources now validate under the single active trust anchor and no orphan \
products are valid under the other prior trust anchors.

The current APNIC TAL is as follows:

------
rsync://rpki.apnic.net/repository/apnic-rpki-root-iana-origin.cer

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RWSL61YAAYumEiU8z8
qH2ETVIL01ilxZlzIL9JYSORMN5Cmtf8V2JblIealSqgOTGjvSjEsiV73s67zYQI
7C/iSOb96uf3/s86NqbxDiFQGN8qG7RNcdgVuUlAidl8WxvLNI8VhqbAB5uSg/Mr
LeSOvXRja041VptAxIhcGzDMvlAJRwkrYK/Mo8P4E2rSQgwqCgae0ebY1CsJ3Cjf
i67C1nw7oXqJJovvXJ4apGmEv8az23OLC6Ki54Ul/E6xk227BFttqFV3YMtKx42H
cCcDVZZy01n7JjzvO8ccaXmHIgR7utnqhBRNNq5Xc5ZhbkrUsNtiJmrZzVlgU6Ou
0wIDAQAB
------


Configuring Relying Party Software
-----------------------------------------------

RIPE NCC RPKI Validator:  If you upgrade to RIPE validator rpki-validator-app-2.24 \
the correct Trust Anchor is configured.  No further work is required.

Dragon Research Labs Rcynic Validator:  If you run rcynic, you need to remove all the \
TAL, TA or CER entries in rcynic.conf except ones which point to \
apnic-rpki-root-iana-origin.cer or the related TAL. If you use the trusted-certs/ \
directory, simply remove the four files which are named for the non-APNIC RIR as \
follows:

cd /etc/trust-anchors # or wherever you place the TAL files
rm apnic-rpki-root-ripe-origin.tal
rm apnic-rpki-root-arin-origin.tal
rm apnic-rpki-root-lacnic-origin.tal
rm apnic-rpki-root-afrinic-origin.tal

RPSTIR  To modify an installed RPSTIR system, locate the /usr/local/etc/rpstir  \
directory and remove all but the current live APNIC TAL.

More information is in the attached PDF describing how to update the trust anchor \
configuration in these three popular relying-partner software systems.



-George


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmJHx+2R3CKHF63+k+Gx+gIL3cMAFAlqU3gEACgkQ+Gx+gIL3
cMCn3Q//Wm8ZwZmzsrtYHcjo3e+lFvR2Dys6N605qauzKb5nReUGxm3H5htmH+9I
IVWMcbBmu5K85t7YcSeq6df6LFn4ImmxVU4GWJV5fOfARkC1UbARxU4oIoOBw3Qc
gE9IVScaYRXtGDdrfloKwDrRzvJEF1JKoJlxWZGuPdVrT24uU0n376AfJgwYZX7E
FjeQFxEepgomBs5zPWvtj1zdT2af+/XhBAi/Q6wfDeuOjG/St8Og+DLAnoMTePCD
1l93svRH18zgI/MOGG9Z8Fago2seBgXPV2XpdwuHkIYsNODQ9i53Fr970aSNz7mz
zA6uKHjR2vwOrpt0Xd8II1NS2PIHVRwwlyvZBdGFllc6dsvURwwlcYQt3TK1FIuM
WZs97ppnlE6RH5Lv/zFBUkZtkDOYuX2JSdYUapQ3ZzT9EAqYuGPTcxhl6Phb4MW5
LrK/xoOYC61alIyl3qBnlZhy/BmRJ7m1jl2KSpVxP/agwzoEGB8ax1PsjYsOEHAZ
Y+fbAyLiD+yYbiL/rBLMpsfUAuhmWpov0pp5Fm00JyMPEzGQLPNn3QOKtyyAh7MJ
Igq8+6h57FGXfc0/O8alhfJfvVsgbOhwbrA9NreWP1aWOuCDM05ngNap2JZMadox
9ZcgroT4jFklYcXvVcUK7R48cPAI9IRuZjIp6ck4IWbqGVsSoGc=
=IYaC
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic