Skip to content

Releases: NLnetLabs/routinator

0.11.1-rc1

04 Apr 12:44
f0afc8a
Compare
Choose a tag to compare
0.11.1-rc1 Pre-release
Pre-release

New

  • The dump command now also copies the stored trust anchor certificates. The certificates are named in the same way as they are internally using the hash over their URI. Please consult the manual for details. (#740)

Bug Fixes

  • The dump command now removes the internal header before copying the objects retained by the RRDP collector, i.e., the files copied into the rrdp sub-directory now contain the actual DER encoded data only. (#735)
  • Correctly set the idle time for TCP keepalives on incoming RTR connections on systems that support it. (#736)
  • Fix an encoding error in the /delta-json output. (#737)
  • Truncate the PID file before writing the current PID to it. (#738)
  • Exit with a status of 1 if an error happened. (#739)

0.11.0

28 Feb 11:18
8924496
Compare
Choose a tag to compare

Breaking Changes

  • The minimal supported Rust version is now 1.52. (#681)

New

  • Add TLS support to the RTR and HTTP servers. (#677)
  • Add support for BGPsec router keys. This needs to be explicitly enabled via the new enable-bgpsec command line and config file option. (#693)
  • Reject so-called premature manifests, i.e., manifests that have an issue time before the current time. This is a new requirement in draft-ietf-sidrops-6486bis. (#681, #690)
  • Add a new output format slurm that produces a JSON file formatted according to RFC 8416 with the validated payload included in the locally added assertions. (#702)
  • Make the (standard) JSON payload output available under /api/v1/origins with the same URL parameters.(#707)
  • Add a new URI parameter include=more-specifics to all HTTP payload output paths to include all route origins for prefixes that are more specifics of the selected prefixes. (#707)
  • Add a new option --more-specifics to the vrps command to include all route origins for prefixes that are more specifics of the selected prefixes. (#714)
  • Accept and process HEAD requests for all HTTP paths. (#707)

Bug Fixes

  • Encountering stray files at the top level of the rsync cache directory will not cause Routinator to exit any more. Instead, it will just delete those files. (#675)
  • Don’t exit when a directory to be deleted doesn’t exist. In particular, this fixes an error in the dump command. (#682)
  • Count all valid CRLs for metrics generation during a validation run. (#683)
  • Don’t claim filtering of unsafe VRPs when the policy is warn. (Only the log message was wrong, no VRPs were filtered in this case.) (#699)
  • Use a TCP listener socket for the RTR server passed in via systemd socket activation if configured. This was already implemented but got lost a few versions ago. (#709)
  • Enable TCP keepalive on RTR connections when configured. This, too, was already implemented but got lost a few versions ago. (#710)

Other Changes

  • Update the NLnet Labs RPKI testbed TAL to the one used by the new server. (#637)

0.11.0-rc2

21 Feb 14:47
dae0644
Compare
Choose a tag to compare
0.11.0-rc2 Pre-release
Pre-release

Bug Fixes

  • Change the content type of the /log endpoint back to text/plain. (#719)
  • Improve the way timed out rsync processes are killed in an attempt to avoid them becoming zombies. (#720)

0.11.0-rc1

10 Feb 10:50
ada9a2d
Compare
Choose a tag to compare
0.11.0-rc1 Pre-release
Pre-release

Breaking Changes

  • The minimal supported Rust version is now 1.52. (#681)

New

  • Add TLS support to the RTR and HTTP servers. (#677)
  • Add support for BGPsec router keys. This needs to be explicitly enabled via the new enable-bgpsec command line and config file option. (#693)
  • Reject so-called premature manifests, i.e., manifests that have an issue time before the current time. This is a new requirement in draft-ietf-sidrops-6486bis. (#681, #690)
  • Add a new output format slurm that produces a JSON file formatted according to RFC 8416 with the validated payload included in the locally added assertions. (#702)
  • Make the (standard) JSON payload output available under /api/v1/origins with the same URL parameters.(#707)
  • Add a new URI parameter include=more-specifics to all HTTP payload output paths to include all route origins for prefixes that are more specifics of the selected prefixes. (#707)
  • Add a new option --more-specifics to the vrps command to include all route origins for prefixes that are more specifics of the selected prefixes. (#714)
  • Accept and process HEAD requests for all HTTP paths. (#707)

Bug Fixes

  • Encountering stray files at the top level of the rsync cache directory will not cause Routinator to exit any more. Instead, it will just delete those files. (#675)
  • Don’t exit when a directory to be deleted doesn’t exist. In particular, this fixes an error in the dump command. (#682)
  • Count all valid CRLs for metrics generation during a validation run. (#683)
  • Don’t claim filtering of unsafe VRPs when the policy is warn. (Only the log message was wrong, no VRPs were filtered in this case.) (#699)
  • Use a TCP listener socket for the RTR server passed in via systemd socket activation if configured. This was already implemented but got lost a few versions ago. (#709)
  • Enable TCP keepalive on RTR connections when configured. This, too, was already implemented but got lost a few versions ago. (#710)

Other Changes

  • Update the NLnet Labs RPKI testbed TAL to the one used by the new server. (#637)

0.10.2 ‘Skuffet, men ikke overrasket’

09 Nov 15:32
a215402
Compare
Choose a tag to compare

Bug Fixes

  • The rrdp-timeout configuration setting now correctly limits the maximum length an RRDP request can take. This prevents a possible issue where a RRDP repository maliciously or erroneously delays a request and subsequently a validation run. (#666, CVE-2021-43173)

New

  • The new configuration setting max-ca-depth limits the length a chain of CAs from a trust anchor. By default it is set to 32. This fixes a possible vulnerability where a CA creates an infinite chain of CAs. (#665, CVE-2021-43172)

Other Changes

  • Support for the gzip transfer encoding for RRDP has been removed because gzip in combination with XML provides multiple ways to delay validation. The configuration setting rrdp-disable-gzip is now deprecated and will be removed in the next breaking release. (#667, CVE-2021-43174)

0.10.1 ‘That’s No Moon’

20 Sep 11:02
e715237
Compare
Choose a tag to compare

Other Changes

0.10.1-rc3

15 Sep 13:35
3ecf1d5
Compare
Choose a tag to compare
0.10.1-rc3 Pre-release
Pre-release

Other Changes

  • Update UI to 0.3.4. (#651)
    • Fixed links for prefixes.

0.10.1-rc2

13 Sep 14:49
9e8e3d4
Compare
Choose a tag to compare
0.10.1-rc2 Pre-release
Pre-release

Bug Fixes

  • Redirect / to /ui to bring back the UI for the blank hostname. (#648)

Other Changes

  • Update UI to 0.3.3.
    • Fixes UI loading with query parameters.

0.10.1-rc1

13 Sep 13:11
77f3594
Compare
Choose a tag to compare
0.10.1-rc1 Pre-release
Pre-release

Other Changes

  • Extended UI with BGP and allocation data lookups. [(#635)]
  • The UI now lives in its own crate routinator-ui. [(#635)]

0.10.0 ‘Through Many Dangers, Toils, and Snares’

23 Aug 12:00
Compare
Choose a tag to compare

Breaking changes

  • Data is now stored directly in the file system again. This returns memory consumption to pre-0.9 levels. All improvements to robustness have been maintained. (#590, #601, #604)
  • The json and jsonext output formats now include a metadata object that contains the time the data set was created in the generated and generatedTime fields as Unix and ISO time stamps, respectively. (#605)
  • The JSON output of the validate command and the of the /validity HTTP endpoint now include a generatedTime field that provides the generation time of the data set that was used for validation as an ISO time stamp. (#605)
  • The default RRDP timeout (via the rrdp-timeout option) has been increased to 300 seconds. (#612)

New

  • The maximum of delta steps performed during an update of an RRDP repository is now limited via the rrdp-max-delta option. If more steps are necessary, the snapshot is used instead. This will improve the update times in cases where Routinator isn’t running constantly. The default limit is 100 steps. (#615)
  • It is now possible to disable the use of the gzip transfer encoding in the RRDP client via the new rrdp-disable-gzip option. (#602)
  • The start of a validation run is now logged as an info message. (#609)
  • A reference to the global help appears now at the end of a sub-command’s help message. (#607)
  • A summary of the data set similar to the summary output format is now logged at log level info at the end of a validation run. (#617)
  • Strict checking for address and prefix lengths in certificates, and for prefix and max-length in ROAs. (via rpki #154, based on an error report by @job)

Bug Fixes

  • Catch and log error output from rsync. (#577)
  • Local exception files that contain prefix assertions with a shorter max-length than the prefix length are now rejected instead of addingthese invalid prefix assertions to the output data set. (#608)
  • The rrdp-timeout command line option was setting both the RRDP timeout and the RRDP connection timeout. Now the rrdp-connect-timeout is correctly used for the latter. (Note: The config file was using the correct keys.) (#611)
  • Added --rrdp-fallback-time option to the command line parser. It was documented and supposed to be present previously, but wasn’t. (#614)
  • The RTR server now returns the correct PDU as a cache reset response, which is returned when the server cannot provide a delta update to a client. Previously, a broken End of Data PDU was returned. (Via rpki #151.)
  • Make parsing of local exception files much more strict to avoid introducing illegal VRPs into the data set. Parsing will now fail if any aspect of a prefix or prefix assertion is incorrect. This includes a non-zero host portion of a prefix. (#627)

Other

  • In the JSON metrics for RRDP repositories, the fields serial, session, delta, and snapshotReason are left out entirely when the server reported no changes via a 304 response. (#613)