sraustein
commented
11 years ago does opening the hole in the firewall fix this?
Trac comment by randy on 2013-07-02T08:38:26Z
Closed sraustein closed 11 years ago
sraustein
commented
11 years ago does opening the hole in the firewall fix this?
Trac comment by randy on 2013-07-02T08:38:26Z
sraustein
commented
11 years ago I believe so. My ripe validator instance against the rpki-testbed TAL sees the pub point.
Cheers
George On Jul 2, 2013 6:38 PM, "Trac Ticket System" tickets@trac.rpki.net wrote:
573: Is JPNIC-NIR-EXP-01 traversable from APNIC TAs?
----------------------+--------------------- Reporter: taiji-k | Owner: sra Type: defect | Status: new Priority: major | Component: testbed Resolution: | Keywords: Blocked By: | Blocking: ----------------------+---------------------
Comment (by randy):
does opening the hole in the firewall fix this?
Ticket URL: https://trac.rpki.net/ticket/573#comment:1 RPKI project tracker https://trac.rpki.net/ Tracker for RPKI project
Trac comment by ggm@apnic.net on 2013-07-02T08:48:26Z
sraustein
commented
11 years ago You might also:
trust-anchor-locator directives to the
(relatively new) trust-anchor-directory directive, which would let
you replace the entire set of trust-anchor-locator.//n//
directives with just:
{{{
trust-anchor-directory = /etc/trust-anchors/
}}}Trac comment by sra on 2013-07-02T08:48:36Z
sraustein
commented
11 years ago Tried but seems no rpki-repository.nic.ad.jp under data/.
Does anyone have got some objects from rpki-repository.nic.ad.jp ?
lrwxrwxrwx 1 root root 34 Jul 2 19:12 data/authenticated -> authenticated.2013-07-02T09:54:15Z root@rpki-exp231:/var/rcynic# ls -l data/authenticated/ total 32 drwxr-xr-x 4 root root 4096 Jul 2 18:55 ca0.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:54 repo0.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:54 repository.lacnic.net drwxr-xr-x 3 root root 4096 Jul 2 18:58 rgnet.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:54 rpki01.nic.ad.jp drwxr-xr-x 4 root root 4096 Jul 2 18:58 rpki.afrinic.net drwxr-xr-x 4 root root 4096 Jul 2 18:58 rpki.apnic.net drwxr-xr-x 4 root root 4096 Jul 2 18:56 rpki.ripe.net #
total 44 drwxr-xr-x 4 root root 4096 Jul 2 18:55 ca0.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:56 iij.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:54 localcert.ripe.net:10873 drwxr-xr-x 3 root root 4096 Jul 2 18:54 repo0.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:54 repository.lacnic.net drwxr-xr-x 3 root root 4096 Jul 2 18:58 rgnet.rpki.net drwxr-xr-x 3 root root 4096 Jul 2 18:54 rpki01.nic.ad.jp drwxr-xr-x 4 root root 4096 Jul 2 18:58 rpki.afrinic.net drwxr-xr-x 4 root root 4096 Jul 2 18:57 rpki.apnic.net drwxr-xr-x 4 root root 4096 Jul 2 18:55 rpki.ripe.net drwxr-xr-x 3 root root 4096 Jul 2 18:56 rpki-test.nordu.net #
[rcynic] rsync-program = /usr/bin/rsync authenticated = /var/rcynic/data/authenticated unauthenticated = /var/rcynic/data/unauthenticated lockfile = /var/rcynic/data/lock xml-summary = /var/rcynic/data/rcynic.xml jitter = 600 use-syslog = true log-level = log_usage_err
trust-anchor-directory = /var/rcynic/etc/trust-anchors/
Replying to [comment:3 sra]:
You might also:
- Switch from the
trust-anchor-locatordirectives to the (relatively new)trust-anchor-directorydirective, which would let you replace the entire set oftrust-anchor-locator.//n// directives with just: {{{ trust-anchor-directory = /etc/trust-anchors/ }}}- Update your trust anchor collection from the ones in the distribution. Eg, you don't appear to have the TALs for RIPE, LACNIC, or AfriNIC. ARIN is off in their own whacky space with lawyers, so their TAL is not in our collection, at their request, but the others are all available in the source distribution, or directly at https://subvert-rpki.hactrn.net/trunk/rcynic/sample-trust-anchors/
Trac comment by taiji-k on 2013-07-02T10:19:16Z
sraustein
commented
11 years ago Does anyone have got some objects from rpki-repository.nic.ad.jp ?
i do not think my systems have chased your tal. and i do not think apnic is sending me to you.
send tal and i will stuff it into one of my caches
Trac comment by randy on 2013-07-02T10:23:48Z
sraustein
commented
11 years ago rsync://rpki-repository.nic.ad.jp/rpki/JPNIC-NIR-EXP-01/ should be located in a certificate issued by APNIC.
By the way, how do we make tal for sub-ordinate CA?
Trac comment by taiji-k on 2013-07-02T10:38:44Z
sraustein
commented
11 years ago rsync://rpki-repository.nic.ad.jp/rpki/JPNIC-NIR-EXP-01/ should be located in a certificate issued by APNIC.
well, if ggm accepted your request, the uri in that request should be in the cert issued by apnic. i have no way of knowing if that particular uri is correct.
By the way, how do we make tal for sub-ordinate CA?
i do not think you do. but i think i can envision where it would be useful, e.g. in LTA hacking.
Trac comment by randy on 2013-07-02T10:48:07Z
sraustein
commented
11 years ago By the way, how do we make tal for sub-ordinate CA?
i do not think you do. but i think i can envision where it would be useful, e.g. in LTA hacking.
It would not be difficult technically, but non-self-signed trust anchors are a bit dicy, so I'm not sure it would be useful.
Would need to work out usage case for LTA hacking before we could know whether they made sense in that context. Note that non-self-signed means lacks of proof-of-possession, which will make some people (and some software) twitch.
Trac comment by sra on 2013-07-02T22:21:27Z
sraustein
commented
11 years ago Now I put /var/rcynic/etc/trust-anchors/apnic-testbed.tal.
$ head -1 /var/rcynic/etc//trust-anchors//apnic-testbed.tal rsync://rpki-testbed.apnic.net/repository/rpki-testbed.apnic.net.cer $
But there are no rpki-testbed/ after rcynic execution.
$ ls /var/rcynic/etc//trust-anchors/ afrinic.tal bbn-testbed.tal.disabled altca.tal jpnic.tal apnic-rpki-root-afrinic-origin.tal lacnic.tal apnic-rpki-root-arin-origin.tal README apnic-rpki-root-iana-origin.tal ripe-ncc-root.tal apnic-rpki-root-lacnic-origin.tal ripe-pilot.tal apnic-rpki-root-ripe-origin.tal rpki.net-testbed.tal apnic-testbed.tal testbed-apnicrpki.tal.disabled $
$ ls -l /var/rcynic/data/authenticated/ total 20 drwxr-xr-x 4 root root 4096 Jul 3 13:40 ca0.rpki.net drwxr-xr-x 3 root root 4096 Jul 3 13:51 repository.lacnic.net drwxr-xr-x 4 root root 4096 Jul 3 13:37 rpki.afrinic.net drwxr-xr-x 4 root root 4096 Jul 3 13:40 rpki.apnic.net drwxr-xr-x 3 root root 4096 Jul 3 13:51 rpki01.nic.ad.jp $
$ ls -l /var/rcynic/data/unauthenticated/ total 24 drwxr-xr-x 4 root root 4096 Jul 3 13:40 ca0.rpki.net drwxr-xr-x 3 root root 4096 Jul 3 13:51 iij.rpki.net drwxr-xr-x 3 root root 4096 Jul 3 13:51 repository.lacnic.net drwxr-xr-x 4 root root 4096 Jul 3 13:37 rpki.afrinic.net drwxr-xr-x 4 root root 4096 Jul 3 13:40 rpki.apnic.net drwxr-xr-x 3 root root 4096 Jul 3 13:51 rpki01.nic.ad.jp $
rpki-testbed.apnic.net seems up so I cound rcync in command-line.
Does someone have any ideas on why those directory has no rpki-testbed.apnic.net/ ?
Trac comment by taiji-k on 2013-07-03T05:30:33Z
sraustein
commented
11 years ago If you're using trust-anchor-locator directives, you need to add one for the new TAL. If you're using trust-anchor-directory, it should be automatic.
Trac comment by sra on 2013-07-03T05:34:03Z
sraustein
commented
11 years ago Current suspicion is that this is an old enough version of rcynic that it doesn't understand the trust-anchor-directory directive. Adding an explicit trust-anchor-locator directive seems to have worked.
Trac comment by sra on 2013-07-03T05:46:35Z
sraustein
commented
11 years ago Replying to [comment:11 sra]:
Current suspicion is that this is an old enough version of rcynic that it doesn't understand the
trust-anchor-directorydirective. Adding an explicittrust-anchor-locatordirective seems to have worked.
Explicit trust-anchor-locator worked.
I've got rpki-repository.nic.ad.jp/ with apnic-testbed.tal.
Now trying trust-anchor-directory directive this time.
Trac comment by taiji-k on 2013-07-03T07:11:25Z
sraustein
commented
11 years ago Sort of a duplicate of another ticket about APNIC's testbed TAL. Addressed during JANOG32.
Trac comment by sra on 2013-07-18T15:35:40Z
sraustein
commented
11 years ago Closed with resolution fixed
Rcynic configured with APNIC TAs does not access to rsync://rpki-repository.nic.ad.jp/rpki/JPNIC-NIR-EXP-01/.
An certificate in JPNIC-NIR-EXP-01's repository has rsync url and it is accessible. qxbPR13Z_l7V2m2bQHRwOS5Zgz4.cer has rsync://rpki-repository.nic.ad.jp/rpki/JPNIC-NIR-EXP-01/. Issuer: CN=A91A7381F00/serialNumber=E84B554A622A0F6F77E5A8FF08CCB93E996F9810 Subject: CN=AB16CF475DD9FE5ED5DA6D9B407470392E59833E
rcynic.conf: [rcynic] rsync-program = /bin/rsync authenticated = /data/authenticated unauthenticated = /data/unauthenticated lockfile = /data/lock xml-summary = /data/rcynic.xml jitter = 10 use-syslog = true log-level = log_debug
trust-anchor-locator.1 = /etc/trust-anchors/testbed-apnicrpki.tal trust-anchor-locator.2 = /etc/trust-anchors/apnic-rpki-root-afrinic-origin.tal trust-anchor-locator.3 = /etc/trust-anchors/apnic-rpki-root-arin-origin.tal trust-anchor-locator.4 = /etc/trust-anchors/apnic-rpki-root-iana-origin.tal trust-anchor-locator.5 = /etc/trust-anchors/apnic-rpki-root-lacnic-origin.tal trust-anchor-locator.6 = /etc/trust-anchors/apnic-rpki-root-ripe-origin.tal
Am I missing some?
Trac ticket #573 component testbed priority major, owner sra, created by taiji-k on 2013-07-02T07:52:21Z, last modified 2013-07-18T15:35:40Z