Skip to content
Compare
Choose a tag to compare

This release fixes the following issues:

  • RRDP serial should start from 1, not 0 (#741)
  • Allow configuring RFC6492/8181 client timeouts (#743)

The first addresses a non-critical bug found when running Krill as a Publication Server present in all Krill versions before this release.

The second addresses an issue seen in Krill 0.7.3 running with 100s of CAs in a single Krill instance - such timeouts have not been seen in Krill 0.9.x - but it does not hurt to give operators control over this configuration.

If you are using Krill for RPKI CA functions only, and you have already upgraded to version 0.9.3 then there is no immediate need to upgrade to this version. If you are running a version from before 0.9.3, then you are still advised to upgrade to this version for the reasons list under version 0.9.3.

b798420
Compare
Choose a tag to compare

This release includes the following features and fixes:

  • Prevent a thundering herd of hosted CAs publishing at the same time (#692)
  • Re-issue ROAs to ensure that short EE subject names are used (#700)
  • Handle rate limits when updating parents (#680)
  • Support experimental ASPA objects through CLI (#685)

Note that ASPA objects are not intended for use in production environments just yet. We have added experimental support for this to support the development of the ASPA standards in the IETF. In order to use this from the CLI you will need to build krill using cargo --features aspa. More information on how to use Krill to manage ASPA objects can be found here.

The full list of changes can be found here.

a84029d
Compare
Choose a tag to compare

This release includes two features aimed at users who run a Krill CA to maintain ROAs:

  • Warn about ROA configurations for resources no longer held #602
  • Re-enable migration of CA content to a new Publication Server #480

In addition to this we have added a lot of smaller improvements:

  • Synchronize the manifest EE lifetime and next update time #589
  • Improve error reporting on I/O errors #587
  • Add rsync URI to testbed TAL #624
  • Improve status reporting and monitoring #651, #650, #648

The following features were added to support users who operate Krill as a parent
CA, or Publication Server:

  • Optionally suspend inactive child CAs using krill 0.9.2 and up #670
  • Perform RRDP session reset on restart #533
  • Use unguessable URIs for RRDP deltas and snapshots #515

The updated documentation for this release can be found here:
https://krill.docs.nlnetlabs.nl/en/0.9.2/index.html

The full list of changes can be found here:
https://github.com/NLnetLabs/krill/projects/16

Compare
Choose a tag to compare

This release fixes an issue where the Publication Server would lock up (#606). Users who do not use Krill to operate their own Publication Server do not need to upgrade to this release.

This locking issue was cause by slow deserialisation of the repository content. It primarily affected large repositories because more content makes this process slower, and having more publishers who publish regularly means it is triggered more frequently.

ff85ea5
Compare
Choose a tag to compare

This is the first major release of Krill in a while.

While basic ROA management is unchanged, there were many changes under the hood:

  • Multi-user support in the User Interface (local users or OpenID Connect)
  • Reduce disk space usage and growth over time
  • API and naming consistency (in preparation for 1.0 in future)
  • Publication Server improvements (to whom it may concern)
  • Many small improvements and minor bug fixes

For a full list of issues that were included in this release see:
https://github.com/NLnetLabs/krill/projects/4

Updated documentation is available here:
https://krill.docs.nlnetlabs.nl/en/stable/index.html

With multi-user support you can now give people in your organization individual access rights to your CA - and they no longer need to share a password. If you have an OpenID Connect provider then you can integrate Krill with it. Read more here:
https://krill.docs.nlnetlabs.nl/en/stable/multi-user.html

Krill versions before 0.9.0 keep a lot of data around that is not strictly needed. This can clog up your system and it makes the Krill history difficult to parse. History can seen using krillc history. We will include support for inspecting history in the UI soon.

There were some API and CLI changes introduced in this release. Over time things had become a bit inconsistent and we felt we needed to fix that before we can consider going for the Krill 1.0 release. If you are using automation then these changes may break your current integrations. Please have a look at the following page to see if and how this affects you:
https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html

Note that your Krill data store will be upgraded automatically if you upgrade to this release. This upgrade can take some time, up to around 30 minutes dependent on the amount of history which accumulated over time and the speed of your system. During the migration you will not be able to update your ROAs, but your existing ROAs will remain available to RPKI validators. I.e. there is no downtime expected with regards to RPKI validation.

We have tested this on various (big) Krill instances running CAs as well as Publication Servers. Still, we recommend that you make a backup of your data store before upgrading. In case the upgrade should unexpectedly fail for you, please restore your old data, run the previous binary, and contact us so that we can make a fix. Alternatively, copy your data except for the keys directory to a test system and then use the new Krill binary there with the following env variable set so you can test the data migration: KRILL_UPGRADE_ONLY=1

Finally, note that you need to run at least Krill 0.6.0 in order to upgrade. If you run an older version you will need to upgrade to version 0.8.2 first.

Compare
Choose a tag to compare

As it turned out the previous release (0.8.1) still insisted on cleaning up 'redundant ROAs' when migrating to that version. This clean-up would not cause any issues with regards to the validity of your announcements. However, we realised in 0.8.1 that users should be the ones to decide whether they want to have extra ROAs or not. Therefore this clean-up should have been removed then.

This release removes this clean-up and introduces no other changes. We recommend that users who did not upgrade already upgrade to this release. However, if you already successfully upgraded to 0.8.1, then upgrading to this release is not needed.

Compare
Choose a tag to compare

The ROA guidance introduced in release 0.8.0 was more strict than it should be. This release allows users to create redundant ROAs once again, while providing guidance in the form of warnings and suggestions only. Full documentation on the Krill suggestions have been added to the online documentation.

In addition to this we have included some small improvements for the Krill Publication Server.

cdb5d80
Compare
Choose a tag to compare

We are happy to introduce Krill 0.8.0 'The Art of ROA Maintenance'. In this version we have added further refinements to the ROA management interface, to give users the confidence that their authorisations accurately reflect their BGP announcements.

The first of these improvements are warnings about ROAs that are too permissive, meaning that they allow more announcements than what is seen in BGP. This encourages users to apply best operational practices. Secondly, Krill will not allow the creation of redundant ROAs, or ROAs that would make other ones redundant. Lastly, there is now support for AS0 ROAs, which are explicit statements that specify which prefixes should never be seen on the public Internet.

The backend has several improvements and refinements as well, such as allowing aggregation of ROAs to lower the number of objects, and improved reporting on communication with parents and repository. To make Krill more resilient, we have added recovery functionality in case data on disk is incomplete due to for example a full disk or failed system. In relation to this, we now ensure Krill stops in case data cannot be written to disk, to prevent inconsistent states. Lastly, Krill does a full re-synchronisation with its parents and the repository on start-up.

With this release we have also started to operate a Krill testbed service. The testbed offers both a parent CA and a repository. As such you can just run a Krill instance, on a laptop even, without the need to operate real infrastructure for testing.

It allows you to register any resources for your Child CA, allowing you to test with your real resources. Because this testbed uses its own TEST Trust Anchor — ROAs created here will not end up being used by production routers.

You can find the test service here:
https://testbed.rpki.nlnetlabs.nl/

To install Krill 0.8.0 you can use Cargo, the Rust package manager, or use the packages for Debian and Ubuntu we provide on https://packages.nlnetlabs.nl

Related links:

Compare
Choose a tag to compare

There is no need to upgrade to this version. It was created only so that you can continue to compile Krill locally using the latest Rust compiler.

As it turns out the use of many asynchronous calls, the cool stuff which make Krill thread safe, cause the compiler to do quite a bit of work in a process called 'Monomorphization'. The latest compiler version will go on strike as a result, unless we instruct it beforehand that more work is coming its way.

Compare
Choose a tag to compare

This release fixes an issue where the BGP Ris Dump files were reloaded and checked too frequently causing high CPU and bandwidth usage.