I concur. Four out of five RIR Trust Anchor Locators were recently updated to allow fetching the Trust Anchor via an HTTPS URI, further removing the dependence on rsync. Sadly, most TALs are not clearly published anywhere and I had to get them though GitHub issues and emails to be able to include them in the latest Routinator release. These are what we believe to be the correct, up-to-date RPKI TALs: https://github.com/NLnetLabs/routinator/tree/master/tals You can find more discussion about this topic here: https://github.com/NICMx/FORT-validator/issues/34 https://github.com/RIPE-NCC/rpki-validator-3/pull/215 RPA grief aside, ARIN seems to be the only RIR that publishes the latest version of their TAL clearly and correctly: https://www.arin.net/resources/manage/rpki/tal/ -Alex
On 2 Aug 2020, at 20:52, Randy Bush <randy@psg.com> wrote:
so i was trying to ensure i had a current set of TALs and was directed to
https://www.ripe.net/manage-ips-and-asns/resource-management/certification/r...
the supposed TAL at the bottom of the page is pretty creative. anyone know what to do there?
i kinda hacked with emacs and get
rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0jkRB0GZ0hoH6Ml03umLprRsn6v0xOP0+l6Qc1ZHMFVFb385IQ7FQQTcVIxrdeMsoyJq9eMkE6DoclHhF/NlSllXubASQ9KUWqJ0+Ot3QCXr4LXECMfkpkVR2TZT+v5v658bHVs6ZxRD1b6Uk1uQKAyHUbn/tXvP8lrjAibGzVsXDT2L0x4Edx+QdixPgOji3gBMyL2VwIDAQAB
but kinda expected an rrdp uri too
and, to add insult to injury, the APNIC web page with their TAL
https://www.apnic.net/community/security/resource-certification/
requires javascript!
not to mention the ARIN stupidity
as if we needed another exercise in bureaucrats making operations painful. most operations of any size have internal departments perfectly capable of doing that.
randy