0.15.1 ‘Ain’t No Country Club Either’

Bug fixes

• Abort the optimistic initial run if there are no stored TA certificates for a TAL instead of succeeding with an empty data set. (#1071)
• Undo PrivateUsers restriction in systemd unit files to allow user to run Routinator on privileged ports. (#1068)

0.15.0 ‘This Ain’t No Disco’

Breaking changes

• Removed the rrdp-keep-responses feature. We suggest the use of an HTTP proxy such as mitmproxy instead.

  This once and for all fixes CVE-2023-39916 which returned again in release 0.14.0. (#1055)

• Messages about issues with repositories and publication points are now logged separately and by default are only visible in the status HTTP server endpoints. The new log-repository-issues option can be used to have these messages also written to the log. ([#1054])

• Changed how server mode deals with broken or missing local exception files. Previously, Routinator would just stop updating until they are fixed, leading to updates being stalled if the operator misses the error messages. Now it will log a warning and keep using the previous set of local exceptions. When starting, it will exit with an error message if there are broken or missing local exception files. (#1060)

• Changed the RRDP timeouts: introduced a new config variable rrdp-read-timeout that provides a timeout for individual network operations (primarily: read from the server). Its default is 10 seconds. This timeout is also used for connecting of no specific value is given, significantly speeding up validation runs.

  In addition, the RRDP timeout was increased from 300 to 600 seconds to better deal with slow transmission of large snapshots of some repositories. (#1061)

New

• Added a quick initial run after starting the server which only uses stored data and aborts if any required data hasn’t been requested before to deal with configuration changes. This will shorten the wait time for an initial data set when restarting Routinator. (#1057)

• Added support for SLURM v2 as output format which includes ASPA payload. (#1021)

• Changed refresh behaviour to better cope with short-lived objects. By default, Routinator will now wait for the time defined by refresh even if objects expire earlier. The new min-refresh option can be used to specify a short minimum refresh time if objects expire before the refresh time. If this value is set to 0, the old behaviour is restored. (#1027)

• The order in which manifest entries are processed is now randomized. (#1041)

• Reduced the overhead of storing RRDP snapshot downloads, significantly improving the snapshot update times. (#1035)

• The dump command now prints the source directories of the data it dumps. (#1045)

• Added a --update-after option to the vrps subcommand that skips updating the local cache if the last successful validation run was known to be less than a given number of minutes ago. (#1049)

• Error responses for API-related HTTP endpoints now contain JSON bodies. ([#1050])

• The /validity HTTP server endpoint now accepts POST requests with a JSON body containing multiple routes to be checked all at once. (#1053)

• Better protect against corrupted stored publication points by double checking cached manifest properties against the actual manifest and discard the stored publication point if they mismatch.

  This fixes an issue where an accidentally or maliciously manipulated locally stored manifest could block update of a legitimate new manifest which was reported by Zizhi Shang, Zhechao Lin, Jiahao Cao, Yangyang Wang, Mingwei Xu of the Institute for Network Sciences and Cyberspace (INSC), Tsinghua University.

Bug fixes

• Fixed a crash if certain invalid character appear in a manifest file name by limiting the name to the rules defined in RFC9286. This issue was reported by Niklas Vogel of Goethe University Frankfurt and ATHENE. (rpki-rs#342)
• Re-implemented RRDP client metrics based on the much simpler model used by RTRTR to fix recurring errors in the metrics. (#1039)
• Changed the message logged when an RRDP update times out to actually say that. (#1052)

Other changes

• Improved performance of file system operations on validate subcommand. (#1043 by @kawaemon)
• Add package.homepage to Cargo.toml (#1024)
• Added building packages for RHEL 10 and Debian 13. (#1034, #1047)
• Added building packages for ARMv6 and ARM64 for Debian Bookworm. (#1036)
• Added additional restrictions to the systemd unit files used in the various binary packages. (#1056)
• Upgrades various dependencies. (#1004, #1005, #1006)

0.15.0-rc1

Breaking changes

• Removed the rrdp-keep-responses feature. We suggest the use of an HTTP proxy such as mitmproxy instead. (#1055)

• Messages about issues with repositories and publication points are now logged separately and by default are only visible in the status HTTP server endpoints. The new log-repository-issues option can be used to have these messages also written to the log. ([#1054])

• Changed how server mode deals with broken or missing local exception files. Previously, Routinator would just stop updating until they are fixed, leading to updates being stalled if the operator misses the error messages. Now it will log a warning and keep using the previous set of local exceptions. When starting, it will exit with an error message if there are broken or missing local exception files. (#1060)

• Changed the RRDP timeouts: introduced a new config variable rrdp-read-timeout that provides a timeout for individual network operations (primarily: read from the server). Its default is 10 seconds. This timeout is also used for connecting of no specific value is given, significantly speeding up validation runs.

  In addition, the RRDP timeout was increased from 300 to 600 seconds to better deal with slow transmission of large snapshots of some repositories. (#1061)

New

• Added a quick initial run after starting the server which only uses stored data and aborts if any required data hasn’t been requested before to deal with configuration changes. This will shorten the wait time for an initial data set when restarting Routinator. (#1057)

• Added support for SLURM v2 as output format which includes ASPA payload. (#1021)

• Changed refresh behaviour to better cope with short-lived objects. By default, Routinator will now wait for the time defined by refresh even if objects expire earlier. The new min-refresh option can be used to specify a short minimum refresh time if objects expire before the refresh time. If this value is set to 0, the old behaviour is restored. (#1027)

• The order in which manifest entries are processed is now randomized. (#1041)

• Reduced the overhead of storing RRDP snapshot downloads, significantly improving the snapshot update times. (#1035)

• The dump command now prints the source directories of the data it dumps. (#1045)

• Added a --update-after option to the vrps subcommand that skips updating the local cache if the last successful validation run was known to be less than a given number of minutes ago. (#1049)

• Error responses for API-related HTTP endpoints now contain JSON bodies. ([#1050])

• The /validity HTTP server endpoint now accepts POST requests with a JSON body containing multiple routes to be checked all at once. (#1053)

• Better protect against corrupted stored publication points by double checking cached manifest properties against the actual manifest and discard the stored publication point if they mismatch.

  This fixes an issue where an accidentally or maliciously manipulated locally stored manifest could block update of a legitimate new manifest which was reported by Zizhi Shang, Zhechao Lin, Jiahao Cao, Yangyang Wang, Mingwei Xu of the Institute for Network Sciences and Cyberspace (INSC), Tsinghua University.

Bug fixes

• Fixed a crash if certain invalid character appear in a manifest file name by limiting the name to the rules defined in RFC9286. This issue was reported by Niklas Vogel of Goethe University Frankfurt and ATHENE. (rpki-rs#342)
• Re-implemented RRDP client metrics based on the much simpler model used by RTRTR to fix recurring errors in the metrics. (#1039)
• Changed the message logged when an RRDP update times out to actually say that. (#1052)

Other changes

• Improved performance of file system operations on validate subcommand. (#1043 by @kawaemon)
• Add package.homepage to Cargo.toml (#1024)
• Added building packages for RHEL 10 and Debian 13. (#1034, #1047)
• Added building packages for ARMv6 and ARM64 for Debian Bookworm. (#1036)
• Added additional restrictions to the systemd unit files used in the various binary packages. (#1056)
• Upgrades various dependencies. (#1004, #1005, #1006)

0.14.2 ’Roll Initiative!’

This release fixes an issue in the bundled UI that caused it to retrieve data from our own test instance rather than the actual Routinator instance. Users of the bundled UI should upgrade.

Other changes

• Upgrades the bundled Routinator UI to release 0.4.5. ([#1014])

0.14.2-rc1

Other changes

• Upgrades the bundled Routinator UI to release 0.4.5. ([#1014])

0.14.1 ‘Black Cats and Voodoo Dolls’

This release fixes a crash when the file names listed in a manifest contain illegal characters. We recommend all users to upgrade to this version.

New

• ASPA support is now always compiled in and available if enable-aspa is set. The aspa Cargo feature has been removed. (#990)
• If merging mutliple ASPA objects for a single customer ASN results in more than 16,380 provider ASNs, the ASPA is dropped. (Note that ASPA objects with more than 16,380 provider ASNs are already rejected during parsing.) (#996)
• New archive-stats command that shows some statistics of an RRDP archive. (#982)
• Re-enabled the use of GZIP compression in HTTP request sent by the RRDP collector. Measures to deal with exploding data have been implemented in rpki-rs#319. (#997)

Bug fixes

• Fixed an issue with checking the file names in manifests that let to a crash when non-ASCII characters are used. (rpki-rs#320, reported by Haya Schulmann and Niklas Vogel of Goethe University Frankfurt/ATHENE Center and assigned CVE-2025-0638)
• The validation HTTP endpoints now accept prefixes with non-zero host bits. (#987)
• Removed duplicate rtr_client_reset_queries in HTTP metrics. (#992 by @sleinen)
• Improved disk space consumption of the new RRDP archives by re-using empty space when updating an object and padding all objects to a multiple of 256 bytes. (#982)

Other changes

• The minimum supported Rust version is now 1.74. (#999)
• Added packaging support for Ubuntu 24.04 and removed support for Debian Stretch 9, Ubuntu Xenial 16.04, Ubuntu Bionic 18.04, and Centos 7 (#980, #994)
• Upgraded the bundled routinator-ui to release [ui-0.4.3][0.4.3].

0.14.0 ‘You Must Gather Your Party Before Venturing Forth’

Breaking changes

• Keep the content of an RRDP repository in a single file rather than as individual files under a directory. (#886)
• Switched to the all-new version 0.4 of the Routinator UI. This also changes the way we import the UI into Routinator by simply including the built assets which means downloads are not necessary during the build process any more. (#952)
• Changed the summary output format to have all lines end in a semicolon. (#907)
• Changed the options used for rsync. The options -rtO --delete are now always used. The options set in the rsync-args are added or, if that is not used, -z and --no-motd, as well as --contimeout=10 if it is supported by the rsync command, and --max-size if the max-object-size option has not been set to 0. (#962)

New

• The chain_validity value in the jsonext format now considers the validity of the manifest’s EE certificates. A new stale value shows the time when any of the publication points along the way will become stale. (#945)
• If a collected manifest has a lower manifest number or an older thisUpdate field than a stored manifest for the same CA, the collected manifest is ignored and the stored publication point is used instead. This implements a requirement added in RFC 9286. (#946, #954)
• The number of delta entries in a RRDP notification file is now limited to 500 by default. If there are more entries, the deltas are ignored and the snapshot is used. The limit can be changed through the new rrdp-max-delta-list-len configuration value. (#961)
• The RRDP collector now falls back to a snapshot update if the hash of a delta listed in the notification file has changed from the previous update. This implements draft-ietf-sidrops-rrdp-desynchronization-00. (#951)
• The RRDP collector now enforces that all URIs referred to or redirected to by an RRDP server have the same origin as the rpkiNotify URI in the CA certificate. (#953)
• The config file used is now printed for some commands. This should help with avoiding confusion when running Routinator as different users. (#959)

Bug fixes

• Fixed an issue where the refresh time was calculated as zero under certain conditions until the dataset was updated. (#940)
• Add the current RRDP serial number to the RRDP server metrics when a Not Modified response is received so that Prometheus shows a constant value.

0.14.0-rc3

Bug fixes

• Updated the bundled Routinator UI to version 0.4.1. This fixes internal linking some more. (#967)

0.14.0-rc2

Bug fixes

• Updated the bundled Routinator UI to version 0.4.1. This fixes internal linking. (#965)

0.14.0-rc1

Breaking changes

• Keep the content of an RRDP repository in a single file rather than as individual files under a directory. (#886)
• Switched to the all-new version 0.4 of the Routinator UI. This also changes the way we import the UI into Routinator by simply including the built assets which means downloads are not necessary during the build process any more. (#952)
• Changed the summary output format to have all lines end in a semicolon. (#907)
• Changed the options used for rsync. The options -rtO --delete are now always used. The options set in the rsync-args are added or, if that is not used, -z and --no-motd, as well as --contimeout=10 if it is supported by the rsync command, and --max-size if the max-object-size option has not been set to 0. (#962)

New

• The chain_validity value in the jsonext format now considers the validity of the manifest’s EE certificates. A new stale value shows the time when any of the publication points along the way will become stale. (#945)
• If a collected manifest has a lower manifest number or an older thisUpdate field than a stored manifest for the same CA, the collected manifest is ignored and the stored publication point is used instead. This implements a requirement added in RFC 9286. (#946, #954)
• The number of delta entries in a RRDP notification file is now limited to 500 by default. If there are more entries, the deltas are ignored and the snapshot is used. The limit can be changed through the new rrdp-max-delta-list-len configuration value. (#961)
• The RRDP collector now falls back to a snapshot update if the hash of a delta listed in the notification file has changed from the previous update. This implements draft-ietf-sidrops-rrdp-desynchronization-00. (#951)
• The RRDP collector now enforces that all URIs referred to or redirected to by an RRDP server have the same origin as the rpkiNotify URI in the CA certificate. (#953)
• The config file used is now printed for some commands. This should help with avoiding confusion when running Routinator as different users. (#959)

Bug fixes

• Fixed an issue where the refresh time was calculated as zero under certain conditions until the dataset was updated. (#940)
• Add the current RRDP serial number to the RRDP server metrics when a Not Modified response is received so that Prometheus shows a constant value.