Releases: NLnetLabs/krill
v0.14.0-rc2
This is the second release candidate for the coming 0.14.0 release. We invite all interested users to test this version, but please do not upgrade your production environment until 0.14.0 has been released.
This release introduces the following small features and fixes:
- Add traditional and simplified Chinese translations #1075
- Let the testbed automatically renew the TA manifest and CRL #1095
- Show the delete icon for AS0 ROA when there is another existing announcement #1109
- Show delete ROA button when no BGP preview is available #1139 (fixed in 0.14.0-rc2)
But, we spent the main effort in this release on improving how Krill stores its data. This will help improve robustness today and pave the way for introducing support for Krill clustering using a database back-end in a future release. For now, these issues were done:
- Improve transactionality of changes (e.g. #1076-1078, #1085, #1108, #1090)
- Remove no longer needed 'always_recover_data' function #1086
- Improve upgrade failed error: tell users to downgrade #1042
- Crash Krill if the task scheduler encounters a fatal error. #1132
- Add support for importing delegated child CAs #1133
Note that this release still uses the now outdated ASPA object syntax. We plan to make another focused release to address this immediately after 0.14.0 is released. See issue #1080.
Note that if you were running 0.13.1 as a testbed, you may have symlinked the "signer" directory to "ta_signer" to support a manual workaround for re-signing the trust anchor CRL and manifest (issue #1095). If you did, you may need to delete any surplus files and directories under "/var/lib/krill/data/ta_signer" other than the " ta " directory.
0.13.1 ‘Scrollbars!’
The Krill UI includes a CA selection dropdown in case you have multiple CAs. This dropdown used to have a scrollbar, which accidentally got lost in the UI overhaul we did in version 0.13.0. This is now fixed (#1071)
0.13.0 ‘DRY’
Summary
This release contains an important fix for an issue affecting v0.12.x Publication Servers (see PR #1023). It is recommended that affected installations are upgraded as soon as possible.
The user interface was completely re-implemented in this release resulting in a smaller browser footprint. Functionality is mostly unchanged, except that users can now have an optional comment with each of their ROA configurations. These comments are not part of published ROA objects - they are meant for local bookkeeping only.
ASPA objects are now supported through the CLI by default. We hope to add UI support later this year.
Krill can now be used as a full RPKI Trust Anchor, using a detached (possibly offline) signer for Trust Anchor key operations.
Publication Server
Krill 0.12.x Publication servers suffer from an issue where multiple entries for the same URI, but with different hashes can appear in a single RRDP snapshot.
This problem was solved by removing published objects data duplication in the Krill architecture and ensuring that the URI rather than an object's hash is used as its primary key internally. More information can be found in pull request #1023.
We recommend that existing 0.12.x Publication Server installations are upgraded to this version.
Updated User Interface
A lot of changes were introduced in this release. For most users the following improvements will be most visible and relevant:
The new krill-ui project has its own repository where issues can be tracked:
https://github.com/NLnetLabs/krill-ui
ASPA Support
ASPA support is now enabled in the CLI (#1031). We hope to add UI support later this year.
We added a number of new restrictions:
- Krill MUST NOT create only a single AFI ASPA (#1063)
- ASPA object MUST NOT allow the customer AS in the provider AS list (#1058)
You can read more about ASPA support here:
https://krill.docs.nlnetlabs.nl/en/0.13.0/manage-aspas.html
API Changes
We removed the repository next update time from the stats and metrics output. It was inaccurate (usually 8 hours off), and not very informative. More useful metrics are still provided: last exchange and last successful exchange. If these times differ, then there is an issue that may need attention.
Krill as a Trust Anchor
A lot of work has been done to support using Krill as a Trust Anchor. If you are not an RIR, then you will not need to run your own RPKI TA for normal RPKI operations. That said, some users may want to operate their own TA outside of the TAs provided by the RIRs for testing, study or research reasons. Or perhaps even to manage private use address space.
You can read more about this here:
https://krill.docs.nlnetlabs.nl/en/0.13.0/trust-anchor.html
Implemented issues:
- Support offline TA (#976)
- Support initialising offline TA with existing key (#979)
- Bulk import/configure CAs with ROAs (#968, #969)
- Support migration of existing TAs (#978)
- Use new TA for embedded (test) TA (#977)
Other Changes
Publication Server Improvements:
Miscellaneous improvements and fixes:
- Log for which child / parent / publisher CMS validation failed (#1027)
- Permit setting CKA_PRIVATE to CK_FALSE on PKCS#11 RSA public keys (#1019)
- Ensure that the CSR uses a trailing slash for id-ad-caRepository (#1030)
- Accept id-cert with path len constraints (#966)
- Publication Server should check uri, not hash, in publish elements (#981)
The overview of all issues for this release can be found here:
https://github.com/NLnetLabs/krill/projects/24
Sakura
This release contains a feature that enables Publication Server operators to remove unwanted, surplus, files from their repository. This feature was cherry picked from the upcoming major release branch so that Publication Server operators can use this without delay.
Note that if you do not use Krill to operate a Publication Server, then there is no need to upgrade to this version now.
For more details see: #1022
Dijkstra
This release fixes a locking issue that can affect a Krill Publication Server with a large number of concurrent publishers. See PR #1007.
If you only use Krill as an RPKI Certificate Authority and publish elsewhere, e.g. in an RPKI Publication Server provided by your RIR or NIR, then there is no need to update to this release.
Safety Belts
This release introduces two fixes for the Krill Publication Server. If you only use Krill as an RPKI Certificate Authority and publish elsewhere, e.g. in an RPKI Publication Server provided by your RIR or NIR, then there is no need to update to this release.
Firstly, this release fixes CVE-2023-0158
This CVE describes an exposure where remote attackers could cause Krill to crash if it is used as an RPKI Publication Server and if its "/rrdp" endpoint is accessible over the public internet. Note that servers are not affected if the advice in our documentation was followed and a separate web server is used to serve the RRDP data.
Secondly, locking was added in this release to ensure that updates to the repository content are always applied sequentially. This fixes a concurrency issue introduced in Krill 0.12.0 that could result in rejecting an update from a publishing CA. In such cases the affected update would not be visible for RPKI validators, until a later publication attempt would be successful.
We advise that users upgrade to this version of Krill if they use it as their RPKI Publication Server. We also continue to recommend that a separate web server is used for serving the RRDP data.
Crickets
This release vastly reduces the CPU usage by Publication Servers for big RPKI repositories.
In addition to this we added a small feature, and fixed an interop issue:
Upgrade instructions this release are here
The overview of all issues for this release can be found here
Full documentation can be found here
Crickets
This release vastly reduces the CPU usage by Publication Servers for big RPKI repositories.
In addition to this we added a small feature, and fixed an interop issue:
RC3 (#961) improves parent synchronisation scheduling and logging
RC2 (#960) fixes an issue in RC1 where the repository content would not be upgraded properly.
Upgrade instructions for the RC release are here:
https://krill.docs.nlnetlabs.nl/en/latest/upgrade.html#v0-12-0
The overview of all issues for this release can be found here:
https://github.com/NLnetLabs/krill/projects/23
Full documentation for the RC version can be found here:
https://krill.docs.nlnetlabs.nl/en/latest/
What about that ROA?
In this release we introduce two features in the Krill API and CLI:
- Support optional comment for each ROA configuration #863
- Show ROA object(s) for each ROA configuration #864
This is not yet supported in the UI, but will be in the near future as the current UI will get a make-over soon.
Other than this we included a few minor issues and fixes:
- Query initialisation parameters for Krill pubserver (rrdp/rsync URI) #835
- Tasks for removed CAs should not result in errors #906
- Disallow negative numbers in config #808
Documentation can be found here:
https://krill.docs.nlnetlabs.nl/en/stable/
And here:
https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html#v0-11-0
What about that ROA?
In this release we introduce two features in the Krill API and CLI:
- Support optional comment for each ROA configuration #863
- Show ROA object(s) for each ROA configuration #864
This is not yet supported in the UI, but will be in the near future as the current UI will get a make-over soon.
Other than this we included a few minor issues and fixes:
- Query initialisation parameters for Krill pubserver (rrdp/rsync URI) #835
- Tasks for removed CAs should not result in errors #906
- Disallow negative numbers in config #808
Documentation can be found here:
https://krill.docs.nlnetlabs.nl/en/latest/
And here:
https://krill.docs.nlnetlabs.nl/en/latest/upgrade.html#v0-11-0