0.8.1 ‘Pure as New York Snow’

Bug Fixes

• VRPs filtered via local exceptions are dropped again. In 0.8.0, they were only added to the metrics but not actually dropped. (#424, discovered by @cwiech)
• The prefix validation option incorrectly matched VRPs for host prefixes to prefixes with an identical bit pattern of any length. (Found by [@vamseedhar-reddyvari] and fixed in #415 by @morrowc and @aaronw112358)
• The config file option for the policy on dealing with objects on unknown types is now correctly spelled unknown-objects (with a dash rather than an underscore). The old spelling will be also be accepted in 0.8 releases. (Found and fixed by @johannesmoos, #413, #416.)
• The config file option rtr-tcp-keepalive now accepts an integer value as it should have from the beginning (and the config command even created). For the time being, both integers and strings will be accepted. String values will be rejected starting with 0.9.0. ([#427], discovered by @johannesmoos)

New

• The log output of the HTTP /log endpoint now states the start date of the validation run it represents. (#426)

0.8.1-rc1

Bug Fixes

• VRPs filtered via local exceptions are dropped again. In 0.8.0, they were only added to the metrics but not actually dropped. (#424,
  discovered by @cwiech)
• The prefix validation option incorrectly matched VRPs for host prefixes to prefixes with an identical bit pattern of any length. (Found by [@vamseedhar-reddyvari] and fixed in #415 by @morrowc and @aaronw112358)
• The config file option for the policy on dealing with objects on unknown types is now correctly spelled unknown-objects (with a dash rather than an underscore). The old spelling will be also be accepted in 0.8 releases. (Found and fixed by @johannesmoos, #413, #416.)
• The config file option rtr-tcp-keepalive now accepts an integer value as it should have from the beginning (and the config command even created). For the time being, both integers and strings will be accepted. String values will be rejected starting with 0.9.0. ([#427], discovered by @johannesmoos)

New

• The log output of the HTTP /log endpoint now states the start date of the validation run it represents. (#426)

0.8.0 ‘Strikes and Gutters, Ups and Downs’

Breaking Changes

• Validation now follows the rules suggested by draft-ietf-sidrops-6486bis: Any invalid object mentioned on the manifest will lead to the issuing CA and all its objects being rejected. However, unlike suggested by the draft, Routinator currently will not fall back to cached older versions of the CA’s objects that may still be valid. In addition, unknown RPKI object types are currently accepted with a warning logged. This behaviour can be changed via the unknown-types policy option. (#371, #401)
• Similarly, CRL handling has been tightened significantly. Each CA must now have exactly one CRL which must be the one stated in the manifest’s EE certificate. Any violation will lead to the whole CA being rejected with the same consequences as above. (#397)
• The default for dealing with stale objects has been changed to reject in accordance with the same draft. (#387)
• Parsing of local exception files is now more strict in accordance with RFC 8416. Any additional member in the JSON objects will lead to an error. However, error reporting has been greatly improved and now the line and column of an error will be indicated. (#372)
• The alias --allow-dubios-hosts for the correctly spelled option has been removed. (#384)
• The minimal supported Rust version is now 1.42.0.

New

• All VRPs overlapping with resources from rejected CAs – dubbed ‘unsafe VRPs’ can filtered via the new unsafe-vrps option. Doing so will avoid situations were routes become RPKI invalid if their VRPs are split over multiple CAs or there are less specific ROAs. By default, unsafe VRPs are only warned about. (#377, #400)
• New metrics for the VRPs produced and filtered on the various TALs. (#377)
• The logging output of the latest validation run is now available via the HTTP service’s /log endpoint. (#396)
• TCP keep-alive is now supported and enabled by default on RTR connections as suggested by RFC 8210. It can be disabled and its idle time changed from the default 60 seconds via the new rtr-tcp-keepalive command line and config file option. (#390)
• The pid-file, working-dir, chroot, user, and group config file and server command options now also work without the --detach command line option. (#392)
• The init command will now change ownership of the cache directory if the user and group options are set via config file or command line options. (#392)
• Irrelevant log messages from libraries are now also filtered when using syslog logging. (#385)
• Release builds will now abort on panic, i.e., when an unexpected internal condition is detected. This ensures that there won’t be a
  Routinator in a coma. (#394)
• The feature rta enables the new command rta for validating Resource Tagged Assertions as described in draft-michaelson-rpki-rta. This feature is not enabled by default and needs to be activated by adding the option --features rta to the Cargo build command.

Bug Fixes

• Update start and end times will not change between consecutive metrics reports any more. (#389)
• Local exceptions will now be loaded before starting a validation run both in vrps and server mode instead of discarding the run after it finished when loading fails. In server mode, we now wait 10 seconds after loading local exceptions fails and try again instead of repeatedly starting validation runs and discarding them. (594186c)
• EE certificates encountered in the repository are now validated as router certificates rather than regular RPKI EE certificates. (#398)

Other Changes

• Logging has been cleaned up. The meaning of the four log levels is now better defined – see the man page – and all log output has been reassigned accordingly. (#396)

0.8.0-rc2

Bug Fixes

• Apply unsafe filter (if requested) also on subsequent validation runs in server mode. (#407)
• Update all metrics on all validation runs. (#407)
• Show the status code instead of -1 in RRDP status metrics. (#408)

Other Changes

• Improve log message when listing resources being added to the unsafe
  filter list. (#406)

0.8.0-rc1

Breaking Changes

• Validation now follows the rules suggested by draft-ietf-sidrops-6486bis: Any invalid object mentioned on the manifest will lead to the issuing CA and all its objects being rejected. However, unlike suggested by the draft, Routinator currently will not fall back to cached older versions of the CA’s objects that may still be valid. In addition, unknown RPKI object types are currently accepted with a warning logged. This behaviour can be changed via the unknown-types policy option. (#371, #401)
• Similarly, CRL handling has been tightened significantly. Each CA must now have exactly one CRL which must be the one stated in the manifest’s EE certificate. Any violation will lead to the whole CA being rejected with the same consequences as above. (#397)
• The default for dealing with stale objects has been changed to reject in accordance with the same draft. (#387)
• Parsing of local exception files is now more strict in accordance with RFC 8416. Any additional member in the JSON objects will lead to an error. However, error reporting has been greatly improved and now the line and column of an error will be indicated. (#372)
• The alias --allow-dubios-hosts for the correctly spelled option has been removed. (#384)
• The minimal supported Rust version is now 1.42.0.

New

• All VRPs overlapping with resources from rejected CAs – dubbed ‘unsafe VRPs’ can filtered via the new unsafe-vrps option. Doing so will avoid situations were routes become RPKI invalid if their VRPs are split over multiple CAs or there are less specific ROAs. By default, unsafe VRPs are only warned about. (#377, #400)
• New metrics for the VRPs produced and filtered on the various TALs. (#377)
• The logging output of the latest validation run is now available via the HTTP service’s /log endpoint. (#396)
• TCP keep-alive is now supported and enabled by default on RTR connections as suggested by RFC 8210. It can be disabled and its idle time changed from the default 60 seconds via the new rtr-tcp-keepalive command line and config file option. (#390)
• The pid-file, working-dir, chroot, user, and group config file and server command options now also work without the --detach command line option. (#392)
• The init command will now change ownership of the cache directory if the user and group options are set via config file or command line options. (#392)
• Irrelevant log messages from libraries are now also filtered when using syslog logging. (#385)
• Release builds will now abort on panic, i.e., when an unexpected internal condition is detected. This ensures that there won’t be a
  Routinator in a coma. (#394)
• The feature rta enables the new command rta for validating Resource Tagged Assertions as described in draft-michaelson-rpki-rta. This feature is not enabled by default and needs to be activated by adding the option --features rta to the Cargo build command.

Bug Fixes

• Update start and end times will not change between consecutive metrics reports any more. (#389)
• Local exceptions will now be loaded before starting a validation run both in vrps and server mode instead of discarding the run after it finished when loading fails. In server mode, we now wait 10 seconds after loading local exceptions fails and try again instead of repeatedly starting validation runs and discarding them. (594186c)
• EE certificates encountered in the repository are now validated as router certificates rather than regular RPKI EE certificates. (#398)

Other Changes

• Logging has been cleaned up. The meaning of the four log levels is now better defined – see the man page – and all log output has been reassigned accordingly. (#396)

0.7.1 ‘Moonlight and Love Songs’

New

• The HTTP /status command now contains a version field showing the Routinator version running. (#342)

Bug Fixes

• Prefer HTTPS URIs in TALs if RRDP is enabled. The order of URIs with the same scheme is maintained. (#343)
• Fix a typo in the --allow-dubious-hosts option which was actually expected to be spelled as --allow-dubios-hosts. This dubious spelling is kept as an alias until the next breaking release. (#339)

Dependencies

• Remove the pin on Tokio and set the minimum version to 0.2.21. (#340)

Other Changes

• Update the AFRINIC, APNIC, ARIN, and RIPE NCC TALs to include HTTPS URIs for
  their trust anchor certificates. (#331, #344, #345)

0.7.1-rc2

Other Changes

• Update the ARIN TAL to include the HTTPS URIs of their trust anchor certificate. (#347)

0.7.1-rc1

New

• The HTTP /status command now contains a version field showing the Routinator version running. (#342)

Bug Fixes

• Prefer HTTPS URIs in TALs if RRDP is enabled. The order of URIs with the same scheme is maintained. (#343)
• Fix a typo in the --allow-dubious-hosts option which was actually expected to be spelled as --allow-dubios-hosts. This dubious spelling is kept as an alias until the next breaking release. (#339)

Dependencies

• Remove the pin on Tokio and set the minimum version to 0.2.21. (#340)

Other Changes

• Update the AFRINIC, APNIC and RIPE NCC TALs to include HTTPS URIs for their trust anchor certificates. (#331, #344, #345)

0.7.0 ‘Your Time Starts … Now’

Breaking Changes

• Routinator now filters out rsync URIs and RRDP URIs that contain dubious host names that should not be present in the public RPKI. In this version they are ‘localhost,’ any IP address, and any URI with the port explicitly specified. This filter can be disabled via the --allow-dubious-hosts command line and config option for test deployments. (#293)
• Only CRLs mentioned on the manifest are now considered when checking any published objects except for the manifest itself. If the hash of the CRL on the manifest does not match the CRL, it is rejected. Objects referencing a CRL that is not on a manifest or has a hash mismatch are rejected. [(#299)]
• The minimal supported Rust version is now 1.39.0.

New

• The new option --stale allows selecting a policy for dealing with stale objects – i.e., manifests and CRLs that are past their next-update date. The policies are reject, warn, and accept. The previous hard-coded policy of warn, i.e., accept but log a warning, is the default. (#288)
• New output formats bird and bird2 which produce a roa table for Bird 1 and a route table for Bird 2, respectively. (#290, by @netravnen)
• New output format csvcompat which produces CSV output as similar to that of the RIPE NCC Validator as possible. (#292)
• The new config file option tal-labels allows defining explicit names to be used when TALs are referenced in output. This way, the output can be made to be even more similar to that produced by the RIPE NCC Validator. (#291)
• The csvext output format is now also available via the HTTP server at the /csvext path. (#294)
• New metrics for the status of the RTR and HTTP servers. (#298)
• New metric of the number of stale objects encountered in the last validation run. (#298)

Other Changes

• Update to Rust’s new asynchronous IO framework for the RTR and HTTP servers. Repository synchronization and validation remain synchronous atop a thread pool. (#282)
• Changed concurrency strategy for repository update and validation. Previously, each trust anchor was updated and validated synchronously. Now processing of a CA is deferred if its repository publication point hasn’t been updated yet. Processing is then picked up by the next available worker thread. This should guarantee that all worker threads are busy all the time. ([#284)]
• Optimized what information to keep for each ROA, bringing maximum memory consumption down to about a quarter. (#293)
• The Docker image now wraps Routinator into tini for properly dealing with signals and child processes. (#277)

0.7.0-rc3

Dependencies

• Pinned Tokio to 0.2.13. There have been reports of issues with automatic cooperative task yielding introduced in 0.2.14, so we will stick with 0.2.13 for this release. (#321)