New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don’t generate origins two different ways. #407
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this pull request
Oct 19, 2020
Pkgsrc changes: * Re-compute cargo dependencies Upstream changes: Bug Fixes * Apply unsafe filter (if requested) also on subsequent validation runs in server mode. ([#407]) * Update all metrics on all validation runs. ([#407]) * Show the status code instead of -1 in RRDP status metrics. ([#408]) Other Changes * Improve log message when listing resources being added to the unsafe filter list. ([#406]) [#406]: NLnetLabs/routinator#406 [#407]: NLnetLabs/routinator#407 [#408]: NLnetLabs/routinator#408 Breaking Changes * Validation now follows the rules suggested by [draft-ietf-sidrops-6486bis]\: Any invalid object mentioned on the manifest will lead to the issuing CA and all its objects being rejected. However, unlike suggested by the draft, Routinator currently will not fall back to cached older versions of the CA's objects that may still be valid. In addition, unknown RPKI object types are currently accepted with a warning logged. This behaviour can be changed via the `unknown-types` policy option. ([#371], [#401]) * Similarly, CRL handling has been tightened significantly. Each CA must now have exactly one CRL which must be the one stated in the manifest's EE certificate. Any violation will lead to the whole CA being rejected with the same consequences as above. ([#397]) * The default for dealing with stale objects has been changed to `reject` in accordance with the same draft. ([#387]) * Parsing of local exception files is now more strict in accordance with [RFC 8416]. Any additional member in the JSON objects will lead to an error. However, error reporting has been greatly improved and now the line and column of an error will be indicated. ([#372]) * The alias `--allow-dubios-hosts` for the correctly spelled option has been removed. ([#384]) * The minimal supported Rust version is now 1.42.0. New * All VRPs overlapping with resources from rejected CAs dubbed `unsafe VRPs' can filtered via the new `unsafe-vrps` option. Doing so will avoid situations were routes become RPKI invalid if their VRPs are split over multiple CAs or there are less specific ROAs. By default, unsafe VRPs are only warned about. ([#377], [#400]) * New metrics for the VRPs produced and filtered on the various TALs. ([#377]) * The logging output of the latest validation run is now available via the HTTP service's `/log` endpoint. ([#396]) * TCP keep-alive is now supported and enabled by default on RTR connections as suggested by [RFC 8210]. It can be disabled and its idle time changed from the default 60 seconds via the new `rtr-tcp-keepalive` command line and config file option. ([#390]) * The `pid-file`, `working-dir`, `chroot`, `user`, and `group` config file and server command options now also work without the `--detach` command line option. ([#392]) * The `init` command will now change ownership of the cache directory if the `user` and `group` options are set via config file or command line options. ([#392]) * Irrelevant log messages from libraries are now also filtered when using syslog logging. ([#385]) * Release builds will now abort on panic, i.e., when an unexpected internal condition is detected. This ensures that there won't be a Routinator in a coma. ([#394]) * The feature `rta` enables the new command `rta` for validating Resource Tagged Assertions as described in [draft-michaelson-rpki-rta]. This feature is not enabled by default and needs to be activated by adding the option `--features rta` to the Cargo build command. Bug Fixes * Update start and end times will not change between consecutive metrics reports any more. ([#389]) * Local exceptions will now be loaded before starting a validation run both in vrps and server mode instead of discarding the run after it finished when loading fails. In server mode, we now wait 10 seconds after loading local exceptions fails and try again instead of repeatedly starting validation runs and discarding them. ([594186c]) * EE certificates encountered in the repository are now validated as router certificates rather than regular RPKI EE certificates. ([#398]) Other Changes * Logging has been cleaned up. The meaning of the four log levels is now better defined see the man page and all log output has been reassigned accordingly. ([#396]) [#357]: NLnetLabs/routinator#357 [#371]: NLnetLabs/routinator#371 [#372]: NLnetLabs/routinator#372 [#377]: NLnetLabs/routinator#377 [#384]: NLnetLabs/routinator#384 [#385]: NLnetLabs/routinator#385 [#387]: NLnetLabs/routinator#387 [#389]: NLnetLabs/routinator#389 [#390]: NLnetLabs/routinator#390 [#392]: NLnetLabs/routinator#392 [#394]: NLnetLabs/routinator#394 [#396]: NLnetLabs/routinator#396 [#397]: NLnetLabs/routinator#397 [#398]: NLnetLabs/routinator#398 [#400]: NLnetLabs/routinator#400 [#401]: NLnetLabs/routinator#401 [594186c]: NLnetLabs/routinator@594186c [RFC 8210]: https://tools.ietf.org/html/rfc8210 [RFC 8416]: https://tools.ietf.org/html/rfc8416 [draft-ietf-sidrops-6486bis]: https://datatracker.ietf.org/doc/draft-ietf-sidrops-6486bis/ [draft-michaelson-rpki-rta]: https://datatracker.ietf.org/doc/html/draft-michaelson-rpki-rta
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes (a) unsafe filtering not happening on all but the first validation run, and (b) some metrics not being updated.