Skip to content

DRY
Compare
Choose a tag to compare
@timbru timbru released this 22 May 14:46
· 80 commits to main since this release
v0.13.0
1a6dc2f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Summary

This release contains an important fix for an issue affecting v0.12.x Publication Servers (see PR #1023). It is recommended that affected installations are upgraded as soon as possible.

The user interface was completely re-implemented in this release resulting in a smaller browser footprint. Functionality is mostly unchanged, except that users can now have an optional comment with each of their ROA configurations. These comments are not part of published ROA objects - they are meant for local bookkeeping only.

ASPA objects are now supported through the CLI by default. We hope to add UI support later this year.

Krill can now be used as a full RPKI Trust Anchor, using a detached (possibly offline) signer for Trust Anchor key operations.

Publication Server

Krill 0.12.x Publication servers suffer from an issue where multiple entries for the same URI, but with different hashes can appear in a single RRDP snapshot.

This problem was solved by removing published objects data duplication in the Krill architecture and ensuring that the URI rather than an object's hash is used as its primary key internally. More information can be found in pull request #1023.

We recommend that existing 0.12.x Publication Server installations are upgraded to this version.

Updated User Interface

A lot of changes were introduced in this release. For most users the following improvements will be most visible and relevant:

  • Updated UI to new and smaller code base (#995)
  • Allow ROA comments in UI (#995)

The new krill-ui project has its own repository where issues can be tracked:
https://github.com/NLnetLabs/krill-ui

ASPA Support

ASPA support is now enabled in the CLI (#1031). We hope to add UI support later this year.

We added a number of new restrictions:

  • Krill MUST NOT create only a single AFI ASPA (#1063)
  • ASPA object MUST NOT allow the customer AS in the provider AS list (#1058)

You can read more about ASPA support here:
https://krill.docs.nlnetlabs.nl/en/0.13.0/manage-aspas.html

API Changes

We removed the repository next update time from the stats and metrics output. It was inaccurate (usually 8 hours off), and not very informative. More useful metrics are still provided: last exchange and last successful exchange. If these times differ, then there is an issue that may need attention.

Krill as a Trust Anchor

A lot of work has been done to support using Krill as a Trust Anchor. If you are not an RIR, then you will not need to run your own RPKI TA for normal RPKI operations. That said, some users may want to operate their own TA outside of the TAs provided by the RIRs for testing, study or research reasons. Or perhaps even to manage private use address space.

You can read more about this here:
https://krill.docs.nlnetlabs.nl/en/0.13.0/trust-anchor.html

Implemented issues:

  • Support offline TA (#976)
  • Support initialising offline TA with existing key (#979)
  • Bulk import/configure CAs with ROAs (#968, #969)
  • Support migration of existing TAs (#978)
  • Use new TA for embedded (test) TA (#977)

Other Changes

Publication Server Improvements:

  • Remove published object data duplication (#1023)
  • Delete repository files by URI (#991)

Miscellaneous improvements and fixes:

  • Log for which child / parent / publisher CMS validation failed (#1027)
  • Permit setting CKA_PRIVATE to CK_FALSE on PKCS#11 RSA public keys (#1019)
  • Ensure that the CSR uses a trailing slash for id-ad-caRepository (#1030)
  • Accept id-cert with path len constraints (#966)
  • Publication Server should check uri, not hash, in publish elements (#981)

The overview of all issues for this release can be found here:
https://github.com/NLnetLabs/krill/projects/24

Assets 2