Skip to content

Changelog.md

Latest commit

 

History

History
2062 lines (1527 loc) · 77.8 KB

Changelog.md

File metadata and controls

2062 lines (1527 loc) · 77.8 KB

Changelog

Unreleased next version

Breaking changes

New

Improvements

Bug fixes

Other changes

0.15.1 ‘Ain’t No Country Club Either’

Released 2025-10-07.

Bug fixes

  • Abort the optimistic initial run if there are no stored TA certificates for a TAL instead of succeeding with an empty data set. (#1071)
  • Undo PrivateUsers restriction in systemd unit files to allow user to run Routinator on privileged ports. (#1068)

0.15.0 ‘This Ain’t No Disco’

Released 2025-09-30

There have been no changes since 0.15.0-rc1.

0.15.0-rc1

Released 2025-09-18.

Breaking changes

  • Removed the rrdp-keep-responses feature. We suggest the use of an HTTP proxy such as mitmproxy instead.

    This once and for all fixes CVE-2023-39916 which returned again in release 0.14.0. (#1055)

  • Messages about issues with repositories and publication points are now logged separately and by default are only visible in the status HTTP server endpoints. The new log-repository-issues option can be used to have these messages also written to the log. ([#1054])

  • Changed how server mode deals with broken or missing local exception files. Previously, Routinator would just stop updating until they are fixed, leading to updates being stalled if the operator misses the error messages. Now it will log a warning and keep using the previous set of local exceptions. When starting, it will exit with an error message if there are broken or missing local exception files. (#1060)

  • Changed the RRDP timeouts: introduced a new config variable rrdp-read-timeout that provides a timeout for individual network operations (primarily: read from the server). Its default is 10 seconds. This timeout is also used for connecting of no specific value is given, significantly speeding up validation runs.

    In addition, the RRDP timeout was increased from 300 to 600 seconds to better deal with slow transmission of large snapshots of some repositories. (#1061)

New

  • Added a quick initial run after starting the server which only uses stored data and aborts if any required data hasn’t been requested before to deal with configuration changes. This will shorten the wait time for an initial data set when restarting Routinator. (#1057)

  • Added support for SLURM v2 as output format which includes ASPA payload. (#1021)

  • Changed refresh behaviour to better cope with short-lived objects. By default, Routinator will now wait for the time defined by refresh even if objects expire earlier. The new min-refresh option can be used to specify a short minimum refresh time if objects expire before the refresh time. If this value is set to 0, the old behaviour is restored. (#1027)

  • The order in which manifest entries are processed is now randomized. (#1041)

  • Reduced the overhead of storing RRDP snapshot downloads, significantly improving the snapshot update times. (#1035)

  • The dump command now prints the source directories of the data it dumps. (#1045)

  • Added a --update-after option to the vrps subcommand that skips updating the local cache if the last successful validation run was known to be less than a given number of minutes ago. (#1049)

  • Error responses for API-related HTTP endpoints now contain JSON bodies. ([#1050])

  • The /validity HTTP server endpoint now accepts POST requests with a JSON body containing multiple routes to be checked all at once. (#1053)

  • Better protect against corrupted stored publication points by double checking cached manifest properties against the actual manifest and discard the stored publication point if they mismatch.

    This fixes an issue where an accidentally or maliciously manipulated locally stored manifest could block update of a legitimate new manifest which was reported by Zizhi Shang, Zhechao Lin, Jiahao Cao, Yangyang Wang, Mingwei Xu of the Institute for Network Sciences and Cyberspace (INSC), Tsinghua University.

Bug fixes

  • Fixed a crash if certain invalid character appear in a manifest file name by limiting the name to the rules defined in RFC9286. This issue was reported by Niklas Vogel of Goethe University Frankfurt and ATHENE. (rpki-rs#342)
  • Re-implemented RRDP client metrics based on the much simpler model used by RTRTR to fix recurring errors in the metrics. (#1039)
  • Changed the message logged when an RRDP update times out to actually say that. (#1052)

Other changes

  • Improved performance of file system operations on validate subcommand. (#1043 by @kawaemon)
  • Add package.homepage to Cargo.toml (#1024)
  • Added building packages for RHEL 10 and Debian 13. (#1034, #1047)
  • Added building packages for ARMv6 and ARM64 for Debian Bookworm. (#1036)
  • Added additional restrictions to the systemd unit files used in the various binary packages. (#1056)
  • Upgrades various dependencies. (#1004, #1005, #1006)

0.14.2 ‘Roll Initiative!’

Released 2025-03-04.

There have been no changes since 0.14.2-rc1.

0.14.2-rc1

Released 2025-03-04.

Other changes

  • Upgrades the bundled Routinator UI to release 0.4.5. (#1014)

0.14.1 ‘Black Cats And Voodoo Dolls’

Released 2025-01-22.

New

  • ASPA support is now always compiled in and available if enable-aspa is set. The aspa Cargo feature has been removed. (#990)
  • If merging mutliple ASPA objects for a single customer ASN results in more than 16,380 provider ASNs, the ASPA is dropped. (Note that ASPA objects with more than 16,380 provider ASNs are already rejected during parsing.) (#996)
  • New archive-stats command that shows some statistics of an RRDP archive. (#982)
  • Re-enabled the use of GZIP compression in HTTP request sent by the RRDP collector. Measures to deal with exploding data have been implemented in rpki-rs#319. (#997)

Bug fixes

  • Fixed an issue with checking the file names in manifests that let to a crash when non-ASCII characters are used. (rpki-rs#320, reported by Haya Schulmann and Niklas Vogel of Goethe University Frankfurt/ATHENE Center and assigned CVE-2025-0638)
  • The validation HTTP endpoints now accept prefixes with non-zero host bits. (#987)
  • Removed duplicate rtr_client_reset_queries in HTTP metrics. (#992 by @sleinen)
  • Improved disk space consumption of the new RRDP archives by re-using empty space when updating an object and padding all objects to a multiple of 256 bytes. (#982)

Other changes

  • The minimum supported Rust version is now 1.74. (#999)
  • Added packaging support for Ubuntu 24.04 and removed support for Debian Stretch 9, Ubuntu Xenial 16.04, Ubuntu Bionic 18.04, and Centos 7 (#980, #994)
  • Upgraded the bundled routinator-ui to release [ui-0.4.3][0.4.3].

0.14.0 ‘You Must Gather Your Party Before Venturing Forth’

Released on 2024-06-20.

There have been no changes since 0.14.0-rc3.

0.14.0-rc3

Released on 2024-06-17.

Bug fixes

  • Updated the bundled Routinator UI to version 0.4.1. This fixes internal linking some more. (#967)

0.14.0-rc2

Released 2024-06-13.

Bug fixes

  • Updated the bundled Routinator UI to version 0.4.1. This fixes internal linking. (#965)

0.14.0-rc1

Released 2024-06-10.

Breaking changes

  • Keep the content of an RRDP repository in a single file rather than as individual files under a directory. (#886)
  • Switched to the all-new version 0.4 of the Routinator UI. This also changes the way we import the UI into Routinator by simply including the built assets which means downloads are not necessary during the build process any more. (#952)
  • Changed the summary output format to have all lines end in a semicolon. (#907)
  • Changed the options used for rsync. The options -rtO --delete are now always used. The options set in the rsync-args are added or, if that is not used, -z and --no-motd, as well as --contimeout=10 if it is supported by the rsync command, and --max-size if the max-object-size option has not been set to 0. (#962)

New

  • The chain_validity value in the jsonext format now considers the validity of the manifest’s EE certificates. A new stale value shows the time when any of the publication points along the way will become stale. (#945)
  • If a collected manifest has a lower manifest number or an older thisUpdate field than a stored manifest for the same CA, the collected manifest is ignored and the stored publication point is used instead. This implements a requirement added in RFC 9286. (#946, #954)
  • The number of delta entries in a RRDP notification file is now limited to 500 by default. If there are more entries, the deltas are ignored and the snapshot is used. The limit can be changed through the new rrdp-max-delta-list-len configuration value. (#961)
  • The RRDP collector now falls back to a snapshot update if the hash of a delta listed in the notification file has changed from the previous update. This implements draft-ietf-sidrops-rrdp-desynchronization-00. (#951)
  • The RRDP collector now enforces that all URIs referred to or redirected to by an RRDP server have the same origin as the rpkiNotify URI in the CA certificate. (#953)
  • The config file used is now printed for some commands. This should help with avoiding confusion when running Routinator as different users. (#959)

Bug fixes

  • Fixed an issue where the refresh time was calculated as zero under certain conditions until the dataset was updated. (#940)
  • Add the current RRDP serial number to the RRDP server metrics when a Not Modified response is received so that Prometheus shows a constant value.

0.13.2 ‘Existential Funk’

Released 2024-01-26.

Bug Fixes

  • Fix the RTR listener so that Routinator won’t exit if an incoming RTR connection is closed again too quickly. (#937, reported by Yohei Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan. Assigned CVE-2024-1622.)

0.13.1 ‘Aziz, Light!’

Released 2024-01-24.

There have been no changes since 0.13.1-rc1.

0.13.1-rc1

Released 2024-01-17.

New

  • Added support for private keys marked as “EC PRIVATE KEY“ in the PEM files for TLS server configuration. (#921)
  • The rsync collector now logs stderr output of the rsync command directly instead of collecting it and logging it in one go after the commend returned. (#290)

Bug Fixes

  • The dump command will now succeed even if certain directories or files in the repository cache are missing. (#916)
  • A more meaningful message is now printed when decoding RPKI objects fails. It will still not give much detail but at least it isn’t confusing any more. (#917)

Other changes

  • Updated the nlnetlabs-testbed TAL to the current location and key. (#922)

0.13.0 ‘Should Have Started This in a Screen’

Released 2023-09-21

There have been no changes since 0.13.0-rc2.

0.13.0-rc2

Released 2023-09-13.

This RC reflects the changes from release 0.12.2.

Bug Fixes

  • Update bcder to at least 0.7.3 to fix various decoding issues that could lead to a panic when processing invalid RPKI objects.
  • Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. (#894. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)

0.13.0-rc1

Released 2023-07-13.

New

  • Added support for ASPA. Processing needs to be enabled via the new option enable-aspa which is only available if the aspa feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. (#847, #873, #874, #878)
  • Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. (#847)
  • Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. (#859)
  • The HTTP server provides a new endpoint /json-delta/notify that can be used to wait for updated data similar to the RTR Notify PDU. (#863)
  • Added support for filtering and adding router keys via local exception files. (#865)
  • The vrps command and the HTTP payload output endpoints now allow excluding specific payload types for output. (#866)
  • Added a new member payload to the output of the /api/v1/status endpoint that gives an overall summary of the produced payload. (#867)
  • Added new members generated and generatedTime to the JSON object produced by the /json-delta endpoint. (#868)

Breaking Changes

  • A new field aspa was added to the jsonext format. See the manual page for more information. (#847)
  • A number of ASPA-related fields have been added to all metrics and status formats. (#847)
  • Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don’t get confused with the end entity certificates included with signed objects. (#854)
  • Renamed the JSON member in the HTTP status API from validEECerts to validRouterCerts. The old name is still available but may be removed in the future. (#854)
  • The regular json output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. (#866)
  • The minimal required Rust version has been increased to 1.70. (#847, #853, #869, #879)

Bug Fixes

  • Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. (via rpki-rs #250)
  • Restored the ability to parse ASNs in JSON input to the validity command as string or number. (#861)

Other Changes

  • The log message for missing manifest now include the URI of the CA certificate for which the manifest is missing. (#864)
  • Binary packages are now also built for Debian bookworm. (#881)

0.12.2 ‘Brutti, sporchi e cattivi’

Release 2023-09-13.

Bug Fixes

  • Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. (#891, via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
  • Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. (#892. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)

0.12.1 ‘Plan uw reis in de app’

Released 2023-01-04.

There are no changes since 0.12.1-rc2.

0.12.1-rc2

Released 2022-12-13.

Bug Fixes

  • Allow private keys prefixed both with BEGIN PRIVATE KEY and BEGIN RSA PRIVATE KEY in the files referred to by http-tls-key and rtr-tls-key configuration options. (#831, #832)

0.12.1-rc1

Released 2022-12-05.

Bug Fixes

  • Actually use the extra-tals-dir config file option. (#821)
  • On Unix, if chroot is requested but no working directory is explicitly provided, set the working directory to the chroot directory. (#823)
  • Fixed the error messages printed when the http-tls-key or http-tls-cert options are required but missing. They now refer to HTTP and not, as previously, to RTR. (#824 by @SanderDelden)

Other Changes

0.12.0 ‘Brutalism and Gardening’

Released 2022-11-10.

Bug Fixes

  • Remove a stray newline in summary output.

0.12.0-rc1

Released 2022-11-02.

Breaking Changes

  • Restructured the TAL configuration in response to the dropped requirement to opt into the ARIN TAL.

    Routinator will now use the bundled RIR TALs directly unless told otherwise by the new --no-rir-tals command line and config option. The additional bundled TALs can be added via the new --tal command line and config option. Additionally, the TAL directory can still be used via the --extra-tals-dir option. The tal-dir option has been removed but will still be accepted – and ignored – in the config file only.

    The init command has been removed. (#796)

  • Changed the default configuration option for unsafe-vrps to accept and removed all logging or mentioning of unsafe VRPs in this case. (#761)

  • Setting the rsync-timeout option to 0 now disables the rsync timeout. (#798)

  • Refactored error handling. Routinator now logs the reason why an object failed verification or was otherwise rejected. (#755)

  • Removed the deprecated rrdp-disable-gzip configuration option. (#769)

New

  • The new limit-v4-len and limit-v6-len command line and config file options allow limiting the length of IPv4 and IPv6 prefixes, respectively, to be included in the VRP data set. (#810)
  • The new rrdp-fallback command line and config file option allows specifying the circumstances under which a failed RRDP fetch should result in using rsync instead. Supported polices are never for never falling back to using rsync, stale for the current behavior of falling back when RRDP has failed for some time, and new to only fall back for repositories where RRDP has never worked before. (#799)
  • In the extended jsonext output format, the information for VRPs and router keys derived from RPKI data has gained a new member "tal" that shows the name of the TAL this object was published under. (#765)
  • The log output to files, stderr, and the /log HTTP endpoint now includes the log level of the message to make it more clear how important the message really is. (#797)
  • The RTR client metrics have been extended by three new values allowing to track the time since last cache reset and the number of reset and serial queries. Like all RTR client metrics, these new values are only available if enable explicitly via the rtr-client-metrics config option. (#800)
  • TCP keepalive is now enabled for RRDP connections. The keepalive duration can be configured via the new command line and config file option rrdp-tcp-keepalive. (#801)

Bug Fixes

  • Fixed an issue in error handling in the RRDP collector that causes Routinator to exit if it encountered malformed Base 64 in RRDP snapshot and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned CVE-2022-3029.) ([#784])
  • Fixed an issue where RRDP snapshots and deltas with a status code other than 200 OK were accepted and processed. (#802)
  • Changed how Routinator deals with files in the store that cannot be parsed. These will now be ignored and the publication point stored in them considered not available. (#803)
  • When piping output from the vrps command into something else, a broken pipe will not lead to an error message any more. (#807)
  • Fixed various issues with the calculation of RTR metrics. (#811)

Other Changes

  • The minimal required Rust version has been increased to 1.60. (#792)
  • The default Docker image now listens on both port 8323 and 9556 for HTTP requests. (#809)

0.11.3

Released 2022-09-13.

Bug Fixes

  • Fixes an issue in error handling in the RRDP collector that causes Routinator to exit if it encountered malformed Base 64 in RRDP snapshot and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned CVE-2022-3029.) (#781)

0.11.2

Released 2022-04-20.

Bug Fixes

  • Fixes an issue that caused the RTR server to possibly skip over some withdrawn VRPs in response to a serial query. (Found by Jay Borkenhagen, #747)

0.11.1

Released 2022-04-07

No changes since 0.11.1-rc1.

0.11.1-rc1

Released 2022-04-04.

New

  • The dump command now also copies the stored trust anchor certificates. The certificates are named in the same way as they are internally using the hash over their URI. Please consult the manual for details. (#740)

Bug Fixes

  • The dump command now removes the internal header before copying the objects retained by the RRDP collector, i.e., the files copied into the rrdp sub-directory now contain the actual DER encoded data only. (#735)
  • Correctly set the idle time for TCP keepalives on incoming RTR connections on systems that support it. (#736)
  • Fix an encoding error in the /delta-json output. (#737)
  • Truncate the PID file before writing the current PID to it. (#738)
  • Exit with a status of 1 if an error happened. (#739)

0.11.0

Released 2022-02-28.

No changes since 0.11.0-rc2.

0.11.0-rc2

Released 2022-02-21

Bug Fixes

  • Change the content type of the /log endpoint back to text/plain. (#719)
  • Improve the way timed out rsync processes are killed in an attempt to avoid them becoming zombies. (#720)

0.11.0-rc1

Released 2022-02-10.

Breaking Changes

  • The minimal supported Rust version is now 1.52. (#681)

New

  • Add TLS support to the RTR and HTTP servers. (#677)
  • Add support for BGPsec router keys. This needs to be explicitly enabled via the new enable-bgpsec command line and config file option. (#693)
  • Reject so-called premature manifests, i.e., manifests that have an issue time before the current time. This is a new requirement in draft-ietf-sidrops-6486bis. (#681, #690)
  • Add a new output format slurm that produces a JSON file formatted according to RFC 8416 with the validated payload included in the locally added assertions. (#702)
  • Make the (standard) JSON payload output available under /api/v1/origins with the same URL parameters.(#707)
  • Add a new URI parameter include=more-specifics to all HTTP payload output paths to include all route origins for prefixes that are more specifics of the selected prefixes. (#707)
  • Add a new option --more-specifics to the vrps command to include all route origins for prefixes that are more specifics of the selected prefixes. (#714)
  • Accept and process HEAD requests for all HTTP paths. (#707)

Bug Fixes

  • Encountering stray files at the top level of the rsync cache directory will not cause Routinator to exit any more. Instead, it will just delete those files. (#675)
  • Don’t exit when a directory to be deleted doesn’t exist. In particular, this fixes an error in the dump command. (#682)
  • Count all valid CRLs for metrics generation during a validation run. (#683)
  • Don’t claim filtering of unsafe VRPs when the policy is warn. (Only the log message was wrong, no VRPs were filtered in this case.) (#699)
  • Use a TCP listener socket for the RTR server passed in via systemd socket activation if configured. This was already implemented but got lost a few versions ago. (#709)
  • Enable TCP keepalive on RTR connections when configured. This, too, was already implemented but got lost a few versions ago. (#710)

Other Changes

  • Update the NLnet Labs RPKI testbed TAL to the one used by the new server. (#637)

0.10.2 ‘Skuffet, men ikke overrasket’

Released 2021-11-09.

Bug Fixes

  • The rrdp-timeout configuration setting now correctly limits the maximum length an RRDP request can take. This prevents a possible issue where a RRDP repository maliciously or erroneously delays a request and subsequently a validation run. (#666, CVE-2021-43173)

New

  • The new configuration setting max-ca-depth limits the length a chain of CAs from a trust anchor. By default it is set to 32. This fixes a possible vulnerability where a CA creates an infinite chain of CAs. (#665, CVE-2021-43172)

Other Changes

  • Support for the gzip transfer encoding for RRDP has been removed because gzip in combination with XML provides multiple ways to delay validation. The configuration setting rrdp-disable-gzip is now deprecated and will be removed in the next breaking release. (#667, CVE-2021-43174)

0.10.1 ‘That’s No Moon’

Released 2021-09-20.

No changes since 0.10.1-rc3.

0.10.1-rc3

Released 2021-09-15.

Other Changes

  • Update UI to 0.3.4. (#651)
    • Fixed links for prefixes.

0.10.1-rc2

Released 2021-09-13.

Bug Fixes

  • Redirect / to /ui to bring back the UI for the blank hostname. (#648)

Other Changes

  • Update UI to 0.3.3.
    • Fixes UI loading with query parameters.

0.10.1-rc1

Released 2021-09-13.

Other Changes

  • Extended UI with BGP and allocation data lookups. (#635)
  • The UI now lives in its own crate routinator-ui. (#635)

0.10.0 ‘Through Many Dangers, Toils, and Snares’

Released 2021-08-23

No changes since 0.10.0-rc3.

0.10.0-rc3

Released 2021-08-02.

New

  • Strict checking for address and prefix lengths in certificates, and for prefix and max-length in ROAs. (via rpki #154, based on an error report by @job)

0.10.0-rc2

Released 2021-07-27.

Bug Fixes

  • Fix the missing line feed in the summary output format. (#625)
  • The RTR server now returns the correct PDU as a cache reset response, which is returned when the server cannot provide a delta update to a client. Previously, a broken End of Data PDU was returned. (Via rpki #151.)
  • Make parsing of local exception files much more strict to avoid introducing illegal VRPs into the data set. Parsing will now fail if any aspect of a prefix or prefix assertion is incorrect. This includes a non-zero host portion of a prefix. (#627)

0.10.0-rc1

Released 2021-07-23.

Breaking changes

  • Data is now stored directly in the file system again. This returns memory consumption to pre-0.9 levels. All improvements to robustness have been maintained. (#590, #601, #604)
  • The json and jsonext output formats now include a metadata object that contains the time the data set was created in the generated and generatedTime fields as Unix and ISO time stamps, respectively. (#605)
  • The JSON output of the validate command and the of the /validity HTTP endpoint now include a generatedTime field that provides the generation time of the data set that was used for validation as an ISO time stamp. (#605)
  • The default RRDP timeout (via the rrdp-timeout option) has been increased to 300 seconds. (#612)

New

  • The maximum over delta steps performed during an update of an RRDP repository is now be limited via the rrdp-max-delta option. If more steps are necessary, the snapshot is used instead. This will improve the update times in cases where Routinator isn’t running constantly. The default limit is 100 steps. (#615)
  • It is now possible to disable the use of the gzip transfer encoding in the RRDP client via the new rrdp-disable-gzip option. (#602)
  • The start of a validation run is now logged as an info message. (#609)
  • A reference to the global help appears now at the end of a sub-command’s help message. (#607)
  • A summary of the data set similar to the summary output format is now logged at log level info at the end of a validation run. (#617)

Bug Fixes

  • Catch and log error output from rsync. (#577)
  • Local exception files that contain prefix assertions with a shorter max-length than the prefix length are now rejected instead of adding these invalid prefix assertions to the output data set. (#608)
  • The rrdp-timeout command line option was setting both the RRDP timeout and the RRDP connection timeout. Now the rrdp-connect-timeout is correctly used for the latter. (Note: The config file was using the correct keys.) (#611)
  • Added --rrdp-fallback-time option to the command line parser. It was documented and supposed to be present previously, but wasn’t. (#614)

Other

  • In the JSON metrics for RRDP repositories, the fields serial, session, delta, and snapshotReason are left out entirely when the server reported not changes via a 304 response. (#613)

0.9.0 ‘Raptor Bash for Life’

Released 2021-06-03.

No changes since 0.9.0-rc3.

0.9.0-rc3

Released 2021-05-31.

Breaking Changes

  • The minimal supported Rust version is now 1.47.0. (#568)

Bug Fixes

  • Formatting fix for the man page (#569)

Other Changes

  • Support for building RPM packages for Centos 7 and 8. (#566)

0.9.0-rc2

Released 2021-05-25.

Bug Fixes

  • In server mode, the database is now only opened after detaching from the console if requested. This fixes Routinator hanging if the --detach option is used due to invoking multi-threading before forking. (#557)
  • Fixed a panic when trying to load a broken repository state object from the database. (#558)
  • Accept the filter-asn query parameter in the VRP set HTTP endpoints again which was accidentally rejected. (#559)

Other Changes

  • Rearranged the Prometheus metrics to be more canonical. (#562)

0.9.0-rc1

Released 2021-05-17.

Breaking Changes

  • Routinator now keeps the last valid data from a publication point and falls back to using that if an update to the publication point does not have a valid manifest or the data does not match the manifest. This data is stored in a [sled] key-value database rather than directly in the file system. (#456)
  • RRDP data is now collected into the same key-value database. The new command dump allows copying the data from the database to the file system. (#473, #480, #484)
  • If an RRDP repository is unavailable for a certain time, Routinator will now fall back to rsync. The time since last successful update before this fallback happens is randomly chosen for each repository between the refresh time and an upper limit configurable via the new rrdp-fallback-time option that defaults to one hour. (#473, #482, #507)
  • The rsync-timeout now describes a hard timeout on the rsync process for updating a repository. ([#528)]
  • The size of downloaded RPKI objects is now limited by the max-object-size options which defaults to a limit of 20 MBytes. This limit applies to both RRDP and rsync. (#531)
  • Routinator now includes additional TALs for various commonly used RPKI testbeds. The init command has been restructured to make it possible to select the TALs for installation. The default is still to install the five production RIR TALs. (#500)
  • Deprecated configuration items have been removed: unknown-objects cannot be spelled with a underscore anymore and string values are not accepted anymore for rtr-tcp-keepalive. (#496)
  • The minimal supported Rust version is now 1.45.0. (#444, #498)

New

  • The new option --fresh causes Routinator to delete all cached data before starting. This can be used when data corruption is reported. (#470)
  • The new HTTP server endpoint /json-delta provides an option to retrieve updates to a previously received data set via deltas. (#537)
  • A new output format jsonext is available both in the vrps command and the HTTP server that provides more detailed information about the sources of a VRP. (#511)
  • The validate command now accepts input from and can write its output to files. Both are available in simple plain text and JSON formatting. (#514)
  • The HTTP endpoints that supply the current VRP set now support conditional request handling. They include Etag and Last-Modified headers in their response and process If-None-Match and If-Modified-Since headers in requests. (#474, contributed by @reschke, #488)
  • The vrps command line option and the HTTP query parameters for limiting the VRPs included in the returned VRP set have been renamed from filter-prefix to select-prefix and from filter-asn to select-asn for clarity. The old options are still accepted. (#511)
  • Status information is now available in JSON format at /api/v1/status. (#437)
  • The metrics of RRDP repositories now also include the serial number of the last update. The JSON status information also includes the session ID and whether the last update was via a delta and if it wasn’t why a snapshot had to be used. It also separately provides the status codes for the request of the notification file and the snapshot or last requested delta file. (#487, #489)
  • Prometheus metrics and JSON status have been greatly extended with more detailed counters for individual valid and invalid object types. They are also now available on a per-repository basis in addition to the already existing per-TAL basis. (#493, #539)
  • Prometheus metrics and JSON status can now optionally include per-client RTR metrics. This is disabled by default to avoid accidentally leaking information about the local network topology. (#519)
  • The RRDP client now supports the gzip transfer encoding for HTTPs. (#463, contributed by @bjpbakker)
  • The exception config file value now also accepts a single string with a path name instead of an array of strings. (#471)
  • The new rrdp-keep-responses option allows optionally storing the XML content of all received RRDP responses in the file system. (#490)

Bug Fixes

  • The csvcompat output format that was introduced in 0.7.0 is now actually accepted by the --format command line option.
  • The /validity HTTP endpoint now accepts percent-encoded characters in the query parameters. (#505)

Other Changes

  • Updated the bundled APNIC and LACNIC TALs. When upgrading, please re-install the TALs in your system via routinator init. (#510, #543)
  • Upgrade rpki-rs to 0.11 and drop now unnecessary separate dependency to rpki-rtr. (#443)
  • Upgrade Tokio-related dependencies to new version based on Tokio 1.0. (#444)
  • Upgrade the bundled UI to version 0.2.0 reflecting the changed metrics. (#550)

0.8.3 ‘Like and Subscribe’

Released 2021-02-02.

There have been no changes since 0.8.3-rc1.

0.8.3-rc1

Released 2021-01-28.

New

  • Status information is now available in JSON format at /api/v1/status (#449).
  • Includes version 0.1.0 of routinator-ui, a UI for Route Origin Validation and Routinator status (#449).

0.8.2 ‘Once More, with Feeling’

Released 2020-12-09.

There have been no changes since 0.8.1-rc1.

0.8.2-rc1

Released 2020-12-04.

Changes

  • As the rules proposed by draft-ietf-sidrops-6486bis turned out to be too strict, validation has been relaxed again. A CA is now only rejected and all its objects ignored if the manifest or CRL are invalid or if any of the objects listed on the manifest are either missing or have a different hash. (#438)

Bug Fixes

  • Switch logging to the configured target for the update command. (#433)

Other Changes

  • Update minor dependencies in Cargo.lock. (#439)

0.8.1 ‘Pure as New York Snow’

Released 2020-11-30.

There have been no changes since 0.8.1-rc1.

0.8.1-rc1

Released 2020-11-20.

Bug Fixes

  • VRPs filtered via local exceptions are dropped again. In 0.8.0, they were only added to the metrics but not actually dropped. (#424, discovered by @cwiech)
  • The prefix validation option incorrectly matched VRPs for host prefixes to prefixes with an identical bit pattern of any length. (Found by [@vamseedhar-reddyvari] and fixed in #415 by @morrowc and @aaronw112358)
  • The config file option for the policy on dealing with objects on unknown types is now correctly spelled unknown-objects (with a dash rather than an underscore). The old spelling will be also be accepted in 0.8 releases. (Found and fixed by @johannesmoos, #413, #416.)
  • The config file option rtr-tcp-keepalive now accepts an integer value as it should have from the beginning (and the config command even created). For the time being, both integers and strings will be accepted. String values will be rejected starting with 0.9.0. ([#427], discovered by @johannesmoos)

New

  • The log output of the HTTP /log endpoint now states the start date of the validation run it represents. (#426)

0.8.0 ‘Strikes and Gutters, Ups and Downs’

Released 2020-10-19.

There have been no changes since RC2.

0.8.0-rc2

Released 2020-10-09.

Bug Fixes

  • Apply unsafe filter (if requested) also on subsequent validation runs in server mode. (#407)
  • Update all metrics on all validation runs. (#407)
  • Show the status code instead of -1 in RRDP status metrics. (#408)

Other Changes

  • Improve log message when listing resources being added to the unsafe filter list. (#406)

0.8.0-rc1

Released 2020-10-07.

Breaking Changes

  • Validation now follows the rules suggested by draft-ietf-sidrops-6486bis: Any invalid object mentioned on the manifest will lead to the issuing CA and all its objects being rejected. However, unlike suggested by the draft, Routinator currently will not fall back to cached older versions of the CA’s objects that may still be valid. In addition, unknown RPKI object types are currently accepted with a warning logged. This behaviour can be changed via the unknown-types policy option. (#371, #401)
  • Similarly, CRL handling has been tightened significantly. Each CA must now have exactly one CRL which must be the one stated in the manifest’s EE certificate. Any violation will lead to the whole CA being rejected with the same consequences as above. (#397)
  • The default for dealing with stale objects has been changed to reject in accordance with the same draft. (#387)
  • Parsing of local exception files is now more strict in accordance with RFC 8416. Any additional member in the JSON objects will lead to an error. However, error reporting has been greatly improved and now the line and column of an error will be indicated. (#372)
  • The alias --allow-dubios-hosts for the correctly spelled option has been removed. (#384)
  • The minimal supported Rust version is now 1.42.0.

New

  • All VRPs overlapping with resources from rejected CAs – dubbed ‘unsafe VRPs’ can filtered via the new unsafe-vrps option. Doing so will avoid situations were routes become RPKI invalid if their VRPs are split over multiple CAs or there are less specific ROAs. By default, unsafe VRPs are only warned about. (#377, #400)
  • New metrics for the VRPs produced and filtered on the various TALs. (#377)
  • The logging output of the latest validation run is now available via the HTTP service’s /log endpoint. (#396)
  • TCP keep-alive is now supported and enabled by default on RTR connections as suggested by RFC 8210. It can be disabled and its idle time changed from the default 60 seconds via the new rtr-tcp-keepalive command line and config file option. (#390)
  • The pid-file, working-dir, chroot, user, and group config file and server command options now also work without the --detach command line option. (#392)
  • The init command will now change ownership of the cache directory if the user and group options are set via config file or command line options. (#392)
  • Irrelevant log messages from libraries are now also filtered when using syslog logging. (#385)
  • Release builds will now abort on panic, i.e., when an unexpected internal condition is detected. This ensures that there won’t be a Routinator in a coma. (#394)
  • The feature rta enables the new command rta for validating Resource Tagged Assertions as described in draft-michaelson-rpki-rta. This feature is not enabled by default and needs to be activated by adding the option --features rta to the Cargo build command.

Bug Fixes

  • Update start and end times will not change between consecutive metrics reports any more. (#389)
  • Local exceptions will now be loaded before starting a validation run both in vrps and server mode instead of discarding the run after it finished when loading fails. In server mode, we now wait 10 seconds after loading local exceptions fails and try again instead of repeatedly starting validation runs and discarding them. (594186c)
  • EE certificates encountered in the repository are now validated as router certificates rather than regular RPKI EE certificates. (#398)

Other Changes

  • Logging has been cleaned up. The meaning of the four log levels is now better defined – see the man page – and all log output has been reassigned accordingly. (#396)

0.7.1 ‘Moonlight and Love Songs’

Released 2020-06-15.

There have been no changes since RC2.

0.7.1-rc2

Released 2020-06-10.

Other Changes

  • Update the ARIN TAL to include the HTTPS URIs of their trust anchor certificate. (#347)

0.7.1-rc1

Released 2020-06-09.

New

  • The HTTP /status command now contains a version field showing the Routinator version running. [(#342)]

Bug Fixes

  • Prefer HTTPS URIs in TALs if RRDP is enabled. The order of URIs with the same scheme is maintained. (#343)
  • Fix a typo in the --allow-dubious-hosts option which was actually expected to be spelled as --allow-dubios-hosts. This dubious spelling is kept as an alias until the next breaking release. (#339)

Dependencies

  • Remove the pin on Tokio and set the minimum version to 0.2.21. (#340)

Other Changes

  • Update the AFRINIC, APNIC and RIPE NCC TALs to include HTTPS URIs for their trust anchor certificates. (#331, #344, #345)

0.7.0 ‘Your Time Starts … Now’

Released 2020-05-06.

There have been no changes since RC3.

0.7.0-rc3

Dependencies

  • Pinned Tokio to 0.2.13. There have been reports of issues with automatic cooperative task yielding introduced in 0.2.14, so we will stick with 0.2.13 for this release. (#321)

0.7.0-rc2

Bug Fixes

  • Bind listening sockets before possibly dropping privileges while detaching. (#313, discovered by @alarig).
  • Re-enable Tokio’s threaded runtime. (#315)

0.7.0-rc1

Breaking Changes

  • Routinator now filters out rsync URIs and RRDP URIs that contain dubious host names that should not be present in the public RPKI. In this version they are ‘localhost,’ any IP address, and any URI with the port explicitly specified. This filter can be disabled via the --allow-dubious-hosts command line and config option for test deployments. (#293)
  • Only CRLs mentioned on the manifest are now considered when checking any published objects except for the manifest itself. If the hash of the CRL on the manifest does not match the CRL, it is rejected. Objects referencing a CRL that is not on a manifest or has a hash mismatch are rejected. [(#299)]
  • The minimal supported Rust version is now 1.39.0.

New

  • The new option --stale allows selecting a policy for dealing with stale objects – i.e., manifests and CRLs that are past their next-update date. The policies are reject, warn, and accept. The previous hard-coded policy of warn, i.e., accept but log a warning, is the default. (#288)
  • New output formats bird and bird2 which produce a roa table for Bird 1 and a route table for Bird 2, respectively. (#290, by @netravnen)
  • New output format csvcompat which produces CSV output as similar to that of the RIPE NCC Validator as possible. (#292)
  • The new config file option tal-labels allows defining explicit names to be used when TALs are referenced in output. This way, the output can be made to be even more similar to that produced by the RIPE NCC Validator. (#291)
  • The csvext output format is now also available via the HTTP server at the /csvext path. (#294)
  • New metrics for the status of the RTR and HTTP servers. (#298)
  • New metric of the number of stale objects encountered in the last validation run. (#298)

Other Changes

  • Update to Rust’s new asynchronous IO framework for the RTR and HTTP servers. Repository synchronization and validation remain synchronous atop a thread pool. (#282)
  • Changed concurrency strategy for repository update and validation. Previously, each trust anchor was updated and validated synchronously. Now processing of a CA is deferred if its repository publication point hasn’t been updated yet. Processing is then picked up by the next available worker thread. This should guarantee that all worker threads are busy all the time. ([#284)]
  • Optimized what information to keep for each ROA, bringing maximum memory consumption down to about a quarter. (#293)
  • The Docker image now wraps Routinator into tini for properly dealing with signals and child processes. (#277)

0.6.4 ‘Jeepers’

Bug Fixes

  • Fixes an issue where Routinator occasionally gets completely stuck. (#255)

0.6.3 ‘That Escalated Fast’

New

  • Reload TALs and restart validation via SIGUSR1 on Unix systems. (#241, thanks to Veit Heller!)

Bug Fixes

  • RRDP requests failed with a timeout if Routinator was started in detached server mode (server -d). (#250, discovered by Will McLendon)
  • Fix spelling of routinator_rrdp_duration metrics definition. (#248)

0.6.2 ‘Distiller’s Edition’

New

  • Added a --disable-rsync command line and disable-rsync configuration file option to, well, disable rsync. (#229)

Bug Fixes

  • Fall back to rsync data if RRDP data is missing in no-update mode. (This only caused trouble if you are fabricating a repository cache directory from rsync-only data.) (#223)
  • Try creating the parent directories before moving a file published via RRDP delta to its final location. This avoids regular fallback to snapshots. (#227)
  • Consider previously manipulated files when processing a sequence of multiple RRDP deltas. This avoids occasional fallback to snapshots. (#228)
  • Fixed a decoding error in manifests which caused certain manifests (which don’t seem to be existing in the wild currently) to be rejected. (via rpki-rs #78)
  • The /rpsl endpoint of the HTTP server accidentally produced CSV output. (#238)
  • Produce a formatting of the time elements of RPSL with a stable length. This will result in the RPSL output via the HTTP server to be correct and also decreases the size of the RPSL output by about twenty percent. (#243)

Other Changes

  • Suppressing debug log from some dependencies for stderr and file logging. (#224)

0.6.1 ‘Philosophy Is Tricky’

New

  • RRDP access statistics are now also shown in the /status HTTP endpoint. They were already part of the Prometheus metrics. (#218)

Bug Fixes

  • The RTR serial number was not increased when new data became available. (#215)

Other changes

  • The RRDP client will not complain if it can’t read a non-existing state file anymore as this is a completely normal situation. (#217)

Dependencies

0.6.0 ‘Pink Sombrero’

Breaking Changes

  • Removed the rsync-count command line and configuration file option. This option is now unused as modules are now rsynced only when they are actually accessed. (#187)
  • The default value for refresh has been lowered to 600 seconds. (#191)
  • The refresh time placed in the RTR End-of-data PDU is now calculated from the time until the next validation run is expected to finish. (#193)
  • The listeners for RTR and HTTP in server mode are now started right away and report an error until the first validation has finished. (#203)

New

  • Routinator now supports RRDP for synchronizing repository content. (#187)
  • Restructured repository directory. The rsync data now lives in a sub-directory called rsync. The main repository directory will now be kept clean and all unexpected files removed. (#187)
  • In server mode, the repository will be refreshed and re-validated when the first object expires. (#191)
  • Protection against loops in the CA structure: Routinator checks that any subject key identifier only appears once in the chain from a trust anchor to a CA certificate. (#192)
  • Routinator now explicitly skips .cer files that aren’t CA certificates before even trying to validate them. This already happened before because these files failed validation. (#194)
  • New options user and group for setting the user and group names a detached server process should be run as. (#213)

Bug Fixes

  • Fixed crash if the TAL directory is empty. Routinator will complain but run since there could be local exceptions. (#212)

0.5.0 ‘Why Not Try a Holiday in Sweden This Year?’

Breaking Changes

  • Prometheus metrics are now prefixed with routinator_. (#162 by @momorientes)
  • Added --timeout option to rsync call. This seems to be available on most rsync versions in use. Should that not be the case, you can use the rsync-args config file option to define your own set of rsync arguments, overriding this behaviour. ([#176])

New

  • The local copy of the repository is now cleaned up after each validation run, removing directories and files that weren’t referenced during the run. This can be disabled with the new --dirty command line and dirty config file options. (#180)
  • You can now check pairs of address prefix and AS number for their RPKI origin validation status either via the HTTP interface or the new validate command. The HTTP API is the same as that used by the RIPE NCC RPKI Validator for easy migration. (#173)
  • Output format summary which will print a summary of the content of the RPKI repository. (#167)
  • The ARIN TAL can now be skipped during init with the --decline-arin-rpa option. (#169)
  • Various commands have received a --complete option that causes them to exit with status code 2 if any of the rsync commands fails. ([#177)]
  • Additional metrics showing the status and duration of rsync commands. (#178)

Bug Fixes

  • Fix Prometheus metrics output – Prometheus insists on a line break at the end of the last line. (#156)
  • Fix Prometheus metrics definitions. (#161 by @momorientes)
  • The HTTP server can now deal with unreasonably large requests. It has been switched to using hyper. (#171)

0.4.0 ‘The Bumpy Road to Love’

Breaking Changes

  • Major cleanup of the command line and configuration file for server mode. The command is now server (instead of rtrd). RTR and HTTP are now equals. There is no more default listeners being created, you have to specify them explicitly via command line options or config file. The option is now --rtr for RTR listeners (previously just --listen) and --http for HTTP listeners (previously --listen-http). The config file fields are rtr-listen and http-listen, respectively. (#133)
  • In server (formerly rtrd) mode, the -a option is gone and has been replaced by a -d option. In other words, the default is now to stay attached to the terminal and only fork into the background if -d is given. (#134)
  • The TAL directory will no longer be automatically populated. Instead, you can install the bundled TALs via the new init command. After having received permission from ARIN, we are now also bundling the ARIN TAL in Routinator and require specific agreement to ARIN’s Relying Party Agreement via a command line option. (#135)
  • The minimum supported Rust version is now 1.34.0. (#112)

New

  • Four new monitoring gauges last_update_start, last_update_done, last_update_duration, and serial that will allow alerting if Routinator stops updating. (#122 and #131)
  • Accept RTR listening socket from systemd. This allows to listen on port 323 without special privileges. Enable via the new --listen-systemd option. (#127 and #130).
  • Improved path /status in HTTP output that provides the same information as the /metrics endpoint in slightly different format that might make it easier to use in processing. (#131)
  • Filtering for address prefixes and ASNs in VRP output via the vrps command or in HTTP output. (#137)

Bug Fixes

  • The value of the listen-http config option wasn’t include in the output of the config command. Now it is. (#109)
  • The HTTP server would eventually hang Routinator in a tight loop if connections were closed early by the peer. (#120)
  • Only read files ending in .tal in the TAL directory as is already documented. (#121)
  • Announce the correct content type in HTTP output with formats JSON and CSV. (#146)

Dependencies

  • Update to rpki-rs 0.4 (#111)

0.3.3 ‘Big Bada Boom’

Bug Fixes

  • The config file option specific to rtrd mode weren’t picked up. (#102, reported by Jay Borkenhagen)
  • Ignore ‘broken pipe’ errors when outputting VRPs to make Routinator play nice with piping output into scripts etc. (#105)
  • Fixes a crash when validating certain invalid resource sets on certificates. (rpki-rs #30)

Dependencies

  • There’s now a crude way to check if you have the minimum Rust version required and stop building. (#104)

0.3.2 ‘Bitter and Twisted’

Bug Fixes

  • Print errors when reading the trust anchor locators to standard error instead of logging them since logging isn’t set up yet at that point. (#89)
  • Use route6: fields in RPSL output for IPv6 prefixes. (#96, reported by @matsm)
  • Use LF as line endings in RPSL output. Seems that’s what whois uses in practice, too. (#97, reported by @matsm)

0.3.1 ‘More Intensity’

New

  • TAL files will only be read once when Routinator starts. This improves robustness at the cost of having to restart Routinator when the TALs change. (#74)
  • New option --rsync-timeout setting the maximum number of seconds any rsync command is allowed to run. This prevents hanging rsync from blocking Routinator. (#76)
  • Additional Prometheus metric valid_roas reporting the number of verified ROAs. Additionally, both metrics are now reported separately for each TAL. (#78)
  • Compare RTR serial numbers according to RFC 1932. (#81)

Bug Fixes

  • A missing tcp-listen option in the config file caused Routinator to crash in rtrd mode instead of using the default socket. (#80)
  • Decoding manifest and ROAs now checks that the content type field in the signed object has the correct object identifier. (rpki-rs #27)

0.3.0 ‘It’s More Fun at the Zoo’

Breaking Changes

  • Several API and organizational changes in the Routinator library crate for the various improvements below.

New

  • New output format csvext that mimics the output format of the Original RIPE NCC Validator. (#59)

  • Support for alternative resource extensions and validation defined in [RFC 8360]. (The accompanying changes made it quite a bit faster, too.) (#63)

  • Support for cargo-deb-based Debian packaging. Thanks to David Monosov. (#62)

  • Log warnings for stale manifests and CRLs.

  • Optional HTTP service in rtrd mode. This can be enabled via the --listen-http command line option and the listen-http config option. This is only the beginning of more extensive monitoring support. (#68)

Bug Fixes

  • Converts the endianess of the serial number in the SerialNotify RTR PDU. Reported by Massimiliano Stucchi. (#60)

Dependencies

  • Docker build updated to Rust 1.32 and Alpine Linux 3.9. Thanks to David Monosov. (#61)

Housekeeping

  • Included Clippy in Travis runs for better code quality. (#65)

0.2.1 ‘Rated R’

New

  • The config command now prints the configuration in TOML format and can be used to create a configuration file for the current configuration. (#54)
  • Routinator now builds and runs on Windows. Given that Windows is a Rust tier 1 platform, we wanted to see how difficult it is to get this going. Note that you will need the rsync executable that comes with Cygwin. (#55)

Bug Fixes

  • Actually use $HOME/.routinator.conf as the default config file as promised by the documentation. (#49)
  • Fix a compile time error on 32 bit systems.

0.2.0 ‘Instant Gezellig’

Breaking Changes

  • The command line arguments have been restructured to use commands to determine the mode of operation rather than options. In the course of that, some options changed, too. (#35)
  • Add trust anchor information to the CSV, JSON, and RPSL output. (#21)

New

  • Add a configuration file for all standard options and the options for the RTR server mode. (#35)
  • Add a Dockerfile for building and deploying through Docker. Thanks to David Monosov. (#23)
  • Output from the rsync runs is now send to the logger and will be handled according to log settings. Output to stderr is logged with log level warn, stdout is logged with info. (#27)
  • New options for daemon mode: pid-file, working-dir, and chroot. Options to change the user and group in daemon mode are coming soon. (#42)
  • In daemon mode, forking now happens after the TALs are checked so that you can see the error messages and that it fails.
  • New VRP output format openbgpd which produces a roa-set for OpenBGPD config. Thanks to Job Snijders. (#32)
  • A new command line and config file option rsync-command allows to choose which command to run for rsync. A new config file option rsync-args allows to provide arguments to rsync. (#41)

Bug Fixes

  • The default output format was accidentally changed to none. It is csv again.

Performance Improvements

  • Caching of CRL serial numbers for CAs with large manifests leads to about half the validation time for the current repository. (#34)

0.1.2 ‘And I Cry If I Want To’

Bug Fixes

0.1.1 ‘Five-second Rule’

Bug Fixes

0.1.0 ‘Godspeed!’

Initial public release.