On Sat, Jan 22, 2022 at 01:29:19PM +0000, Job Snijders wrote: > On Sat, Jan 22, 2022 at 11:16:14AM +0100, Theo Buehler wrote: > > +The error indicates that this is not the case or that the leaf tries > > +to inherit resources that the trust anchor itself inherits. > > I unable to understand the second part of the sentence: a leaf > inheriting resources that the trust anchor inherits? > > AFAIK RPKI (and thus RFC 3779) trust anchors are not permitted to use > 'inherit': they have to explicitly specify the list ASNs and/or prefixes > that are considered subordinate.
Yes, I agree. This is handled correctly for AS numbers, but for IP addresses the current behavior is what I document. > Can you elaborate? It is what the code currently checks after 'Trust anchor can't inherit' comment in x509_addr.c addr_validate_path_internal(). The trust anchor is permitted to have inheritance, just not for resources that cover resources in the leaf. > > Kind regards, > > Job
