0.16.0 ‘Früher war mehr Lametta’

Breaking changes

• Reverted the use of Roto API for the ROA analysis to downloading RISwhois route origin data and optimized the way this data is stored in memory.

  Removed the bgp_api_enabled, bgp_api_uri, and bgp_api_cache_duration fields and added bgp_riswhois_enabled, bgp_riswhois_v4_uri, bgp_riswhois_v6_uri, and bgp_riswhois_refresh_duration fields, all of which are optional. (#1329

• Krill will now refuse to start if the config file contains unknown options. (#1322)

New

• A local krillc can now talk to the server via a Unix socket. In this case it will use the name of the local user for authentication purposes. By default, only the root user is allowed with the admin role, but both allowed users and what role they are mapped to can be configure. (#1322)
• Added a krillc parents refresh command to allow refreshing the parents of a single CA rather than having to do a bulk refresh which can take a very long time if there are many CAs. (#1353)

Bug fixes

• Fixed an issue with the new BGP API code which false returns missing announcement info. (#1326)
• Fixed an issue where deleting children or parents of a CA fails before a successful communication with the remote CA. (#1331)
• Fixed an error message when trying to delete a CA which does not have any parents, children, or repositories despite actually removing the CA. (#1331)
• Start sweeping the authenticator cache upon daemon startup. This merely reduces memory consumption of the cache. Expired authentication tokens were not used either way. (#1337)
• Fixed a bug introduced in 0.15.0 where CAs do to not clear fulfilled certification requests causing them to re-request a certificate every time they contact their parent. ([#1345])
• Do not re-try syncing with a parent of a CA when that parent isn’t known. (#1349)
• Fixed un-suspending child CAs: rather then re-publishing the previously revoked certificate, a new certificate is now issued. (#1341)

Other changes

• The default config files don’t serve as config documentation any more. Rather, there is now a krill.conf.5 manual page. This manual page is also included in the Krill manual. (#1322)
• The cryptography library used by the rustls TLS implementation has been switched to aws-lc-rs. This has some consequences for packaging:
• Dropped packaging for Ubuntu 20.04 (Focal Fossa). (#1359)

0.16.0-rc1

Breaking changes

• Reverted the use of Roto API for the ROA analysis to downloading RISwhois route origin data and optimized the way this data is stored in memory.

  Removed the bgp_api_enabled, bgp_api_uri, and bgp_api_cache_duration fields and added bgp_riswhois_enabled, bgp_riswhois_v4_uri, bgp_riswhois_v6_uri, and bgp_riswhois_refresh_duration fields, all of which are optional. (#1329

• Krill will now refuse to start if the config file contains unknown options. (#1322)

New

• A local krillc can now talk to the server via a Unix socket. In this case it will use the name of the local user for authentication purposes. By default, only the root user is allowed with the admin role, but both allowed users and what role they are mapped to can be configure. (#1322)
• Added a krillc parents refresh command to allow refreshing the parents of a single CA rather than having to do a bulk refresh which can take a very long time if there are many CAs. (#1353)

Bug fixes

• Fixed an issue with the new BGP API code which false returns missing announcement info. (#1326)
• Fixed an issue where deleting children or parents of a CA fails before a successful communication with the remote CA. (#1331)
• Fixed an error message when trying to delete a CA which does not have any parents, children, or repositories despite actually removing the CA. (#1331)
• Start sweeping the authenticator cache upon daemon startup. This merely reduces memory consumption of the cache. Expired authentication tokens were not used either way. (#1337)
• Fixed a bug introduced in 0.15.0 where CAs do to not clear fulfilled certification requests causing them to re-request a certificate every time they contact their parent. ([#1345])
• Do not re-try syncing with a parent of a CA when that parent isn’t known. (#1349)
• Fixed un-suspending child CAs: rather then re-publishing the previously revoked certificate, a new certificate is now issued. (#1341)

Other changes

• The default config files don’t serve as config documentation any more. Rather, there is now a krill.conf.5 manual page. This manual page is also included in the Krill manual. (#1322)
• The cryptography library used by the rustls TLS implementation has been switched to aws-lc-rs. This has some consequences for packaging:
• Dropped packaging for Ubuntu 20.04 (Focal Fossa). (#1359)

0.15.1 ‘Contains Adult Language’

Bug fixes

• Fixed a bug introduced in 0.15.0 where CAs do to not clear fulfilled
  certification requests causing them to re-request a certificate every
  time they contact their parent. (#1345)

Other changes

• Updated dependencies.

0.15.0 ‘But I Digress’

Breaking Changes

• Refactored command line options processing for all binaries. As a result, options for both krillc and krillta have slightly changed. For krillc, the --server, --token, --format, and --api options are now before the first subcommand (since they affect all commands). For krillta, those options are now after krillta proxy but before the next subcommand, while --format is now after krillta signer. (#1228)
• Removed support for RTA in krillc. Support is currently still present in the Krill server, though behind a (non-default) feature flag. (#1228)
• Changed how authorization works with OpenID Connect and configuration files. Custom profiles have been replaced with a straightforward mapping from access permission to roles and assigning roles to users. For configuration file-based authentication, the file format has slightly changed but the current format is still accepted. If you are using OpenID Connect, you will have to update your configuration. Please, see the manual for details. (#1232)
• Replaced downloading of RISwhois file for ROA analysis with calls to the Roto API. This can be controlled via new configuration settings bgp_api_enabled, bgp_api_uri, and bgp_api_cache_seconds. (#1233, #1266)

New

• Added a command to re-initialize the trust anchor signer with different timing values or TAL URLs. (#1255)
• Disables the protection against early re-issuance for CA certificates that have the full resource set, typically TA certificates. (#1281)

Bug Fixes

• Fixed a potential infinite recursion in PKCS11 error handling. (#1215)
• Open ID connect: Re-initialize the connection after 60s to pick up configuration changes at the provider. (#1226)
• Fixed the naming of the trust anchor timing configuration. It was expected to be timing_config for the config used by Krill and ta_timing if used by the Krill TA signer. It is now ta_timing in both cases while timing_config is accepted as an alias in both cases. (#1241)
• Improve performance by using buffered reading and writing in the store. (#1300, #1301)

Other changes

• Refactored Prometheus metrics generation which resulted in a slightly different formatting but should still be syntactically correct. (#1249)
• Upgraded the bundled Krill UI to release 0.9.0. (#1295)
• Added packaging support for Ubuntu Noble, RHEL 10, Debian Trixie; removed packaging support for Ubuntu Xenial and Bionic, and Debian Stretch. (#1239, #1297, #1308)
• The minimum supported Rust version is now 1.85. (#1288)

0.15.0-rc6

This RC was only made to properly test upgrading Debian packages. It does not include any functional changes.

Other changes

• Do not include systemd unit files in krillta and krillup deb packages. (#1313)

0.15.0-rc5

Bug fixes

• Improved the message printed when the TA proxy’s signer request does not contain any actual requests. (#1305)
• Fixed various migration issues. (#1306, #1307, #1309)

Other changes

• Add packaging for Debian 13. (#1308)
• Updated dependencies. (#1311)

0.15.0-rc4

Bug fixes

• Improve performance by using buffered reading and writing in the store.
  (#1300, #1301)

Other changes

• Updated dependencies.

0.15.0-rc3

Other changes

• Upgraded the bundled Krill UI to release 0.9.0. (#1295)
• Added packaging support for RHEL 10-alikes. (#1297)

0.15.0-rc2

Bug fixes

• Fix Krill refusing to start if the now unnecessary “refresh announcements info” task is still present by adding it back as a dummy task. (#1292)
• Fix redirect of / to /ui and allow additional segments on the /ui path in the HTTP server. (#1293)

0.15.0-rc1

Breaking Changes

• Refactored command line options processing for all binaries. As a result, options for both krillc and krillta have slightly changed. For krillc, the --server, --token, --format, and --api options are now before the first subcommand (since they affect all commands). For krillta, those options are now after krillta proxy but before the next subcommand, while --format is now after krillta signer. (#1228)
• Removed support for RTA in krillc. Support is currently still present in the Krill server, though behind a (non-default) feature flag. (#1228)
• Changed how authorization works with OpenID Connect and configuration files. Custom profiles have been replaced with a straightforward mapping from access permission to roles and assigning roles to users. For configuration file-based authentication, the file format has slightly changed but the current format is still accepted. If you are using OpenID Connect, you will have to update your configuration. Please, see the manual for details. (#1232)
• Replaced downloading of RISwhois file for ROA analysis with calls to the Roto API. This can be controlled via new configuration settings bgp_api_enabled, bgp_api_uri, and bgp_api_cache_seconds. (#1233, #1266)

New

• Added a command to re-initialize the trust anchor signer with different timing values or TAL URLs. (#1255)
• Disables the protection against early re-issuance for CA certificates that have the full resource set, typically TA certificates. (#1281)

Bug Fixes

• Fixed a potential infinite recursion in PKCS11 error handling. (#1215)
• Open ID connect: Re-initialize the connection after 60s to pick up configuration changes at the provider. (#1226)
• Fixed the naming of the trust anchor timing configuration. It was expected to be timing_config for the config used by Krill and ta_timing if used by the Krill TA signer. It is now ta_timing in both cases while timing_config is accepted as an alias in both cases. (#1241)

Other changes

• Refactored Prometheus metrics generation which resulted in a slightly different formatting but should still be syntactically correct. (#1249)
• Added packaging support for Ubuntu Noble; removed packaging support for Ubuntu Xenial and Bionic, and Debian Stretch. (#1239)
• The minimum supported Rust version is now 1.85. (#1288)