0.13.2 ‘Existential Funk’

Bug Fixes

• Fix the RTR listener so that Routinator won’t exit if an incoming RTR
  connection is closed again too quickly. (#937, reported by Yohei
  Nishimura, Atsushi Enomoto, Ruka Miyachi; Internet Multifeed Co., Japan.
  Assigned CVE-2024-1622.)

0.13.1 ‘Aziz, Light!’

New

• Added support for private keys marked as “EC PRIVATE KEY“ in the PEM files for TLS server configuration. (#921)
• The rsync collector now logs stderr output of the rsync command directly instead of collecting it and logging it in one go after the commend returned. ([#290])

Bug Fixes

• The dump command will now succeed even if certain directories or files in the repository cache are missing. (#916)
• A more meaningful message is now printed when decoding RPKI objects fails. It will still not give much detail but at least it isn’t confusing any more. (#917)

Other changes

• Updated the nlnetlabs-testbed TAL to the current location and key. (#922)

0.13.1-rc1

New

• Added support for private keys marked as “EC PRIVATE KEY“ in the PEM files for TLS server configuration. (#921)
• The rsync collector now logs stderr output of the rsync command directly instead of collecting it and logging it in one go after the commend returned. ([#290])

Bug Fixes

• The dump command will now succeed even if certain directories or files in the repository cache are missing. (#916)
• A more meaningful message is now printed when decoding RPKI objects fails. It will still not give much detail but at least it isn’t confusing any more. (#917)
• The RTR server now returns the expected protocol version in the version negotiation error message rather than the requested version. (rpki-rs #280)
• The RTR server does not accept protocol version 2 for now to avoid sending illegal ASPA PDUs. This is a workaround until the final format of the PDU is specified. (rpki-rs #281)

Other changes

• Updated the nlnetlabs-testbed TAL to the current location and key. (#922)

0.13.0 ‘Should Have Started This in a Screen’

New

• Added support for ASPA. Processing needs to be enabled via the new option enable-aspa which is only available if the aspa feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. (#847, #873, #874, #878)
• Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. (#847)
• Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. (#859)
• The HTTP server provides a new endpoint /json-delta/notify that can be used to wait for updated data similar to the RTR Notify PDU. (#863)
• Added support for filtering and adding router keys via local exception files. (#865)
• The vrps command and the HTTP payload output endpoints now allow excluding specific payload types for output. (#866)
• Added a new member payload to the output of the /api/v1/status endpoint that gives an overall summary of the produced payload. (#867)
• Added new members generated and generatedTime to the JSON object produced by the /json-delta endpoint. (#868)

Breaking Changes

• A new field aspa was added to the jsonext format. See the manual page for more information. (#847)
• A number of ASPA-related fields have been added to all metrics and status formats. (#847)
• Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don’t get confused with the end entity certificates included with signed objects. (#854)
• Renamed the JSON member in the HTTP status API from validEECerts to validRouterCerts. The old name is still available but may be removed in the future. (#854)
• The regular json output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. (#866)
• The minimal required Rust version has been increased to 1.70. (#847, #853, #869, #879)

Bug Fixes

• Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. (via rpki-rs #250)
• Restored the ability to parse ASNs in JSON input to the validity command as string or number. (#861)
• Update bcder to at least 0.7.3 to fix various decoding issues that could lead to a panic when processing invalid RPKI objects.
• Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. (#894. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)

Other Changes

• The log message for missing manifest now include the URI of the CA certificate for which the manifest is missing. (#864)
• Binary packages are now also built for Debian bookworm. (#881)

0.13.0-rc2

Bug Fixes

• Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. (via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
• Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. ([#892]. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)

0.12.2 ‘Brutti, sporchi e cattivi’

Bug Fixes

• Fixed various decoding issues that could lead to a panic when processing invalid RPKI objects. (#891, via bcder release 0.7.3. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39915)
• Check the request URI when generating a path for storing a copy of a RRDP response with the rrdp-keep-responses option to avoid path traversal. (#892. Found by Haya Shulman, Donika Mirdita and Niklas Vogel. Assigned CVE-2023-39916.)

0.13.1-rc1

New

• Added support for ASPA. Processing needs to be enabled via the new option enable-aspa which is only available if the aspa feature is explicitly selected during compilation. This is due to the specification still changing. The implementation currently conforms with draft-ietf-sidrops-aspa-profile-15. (#847, #873, #874, #878)
• Added support for version 2 of the RTR protocol. This primarly means support for the ASPA payload type. (#847)
• Sending SIGUSR2 to Routinator will re-open a log file if logging to a file is enabled. (#859)
• The HTTP server provides a new endpoint /json-delta/notify that can be used to wait for updated data similar to the RTR Notify PDU. (#863)
• Added support for filtering and adding router keys via local exception files. (#865)
• The vrps command and the HTTP payload output endpoints now allow excluding specific payload types for output. (#866)
• Added a new member payload to the output of the /api/v1/status endpoint that gives an overall summary of the produced payload. (#867)
• Added new members generated and generatedTime to the JSON object produced by the /json-delta endpoint. (#868)

Breaking Changes

• A new field aspa was added to the jsonext format. See the manual page for more information. (#847)
• A number of ASPA-related fields have been added to all metrics and status formats. (#847)
• Renamed functions and attributes that refer to standalone end entity certificates to refer to router certificates so they don’t get confused with the end entity certificates included with signed objects. (#854)
• Renamed the JSON member in the HTTP status API from validEECerts to validRouterCerts. The old name is still available but may be removed in the future. (#854)
• The regular json output format now includes router key and ASPA output. Since both are disabled by default, the format will still be compatible by default. (#866)
• The minimal required Rust version has been increased to 1.70. (#847, #853, #869, #879)

Bug Fixes

• Fixed a bug in the RTR server where it would include router key PDUs even if the negotiated protocol version was 0. (via rpki-rs #250)
• Restored the ability to parse ASNs in JSON input to the validity command as string or number. (#861)

Other Changes

• The log message for missing manifest now include the URI of the CA certificate for which the manifest is missing. (#864)
• Binary packages are now also built for Debian bookworm. (#881)

0.12.1 ‘Plan uw reis in de app’

Bug Fixes

• Actually use the extra-tals-dir config file option. (#821)
• Allow private keys prefixed both with BEGIN PRIVATE KEY and BEGIN RSA PRIVATE KEY in the files referred to by http-tls-key and rtr-tls-key configuration options. (#831, #832)
• On Unix, if chroot is requested but no working directory is explicitly provided, set the working directory to the chroot directory. (#823)
• Fixed the error messages printed when the http-tls-key or http-tls-cert options are required but missing. They now refer to HTTP and not, as previously, to RTR. (#824 by @SanderDelden)

Other Changes

• Switch the packaging workflow to use Ploutos. (#816)

0.12.1-rc2

Bug Fixes

• Allow private keys prefixed both with BEGIN PRIVATE KEY and BEGIN RSA PRIVATE KEY in the files referred to by http-tls-key and rtr-tls-key configuration options. (#831, #832)

0.12.1-rc1

Bug Fixes

• Actually use the extra-tals-dir config file option. (#821)
• On Unix, if chroot is requested but no working directory is explicitly provided, set the working directory to the chroot directory. (#823)
• Fixed the error messages printed when the http-tls-key or http-tls-cert options are required but missing. They now refer to HTTP and not, as previously, to RTR. (#824 by @SanderDelden)

Other Changes

• Switch the packaging workflow to use Ploutos. (#816)