Releases: NLnetLabs/krill
Down Under
This release fixes an interoperability issue with the APNIC CA system which didn't occur in the public test environment. See issue #933. Because of this issue APNIC could not be added as a parent to Krill 0.10.0/1/2. CAs with an existing relationship with APNIC would log errors, but the certificate issued to them by APNIC would not be affected by this.
The Krill 0.10.x series introduces the following major features:
- BGPSec Router Certificate Signing
- Support the use of Hardware Security Modules (HSMs) for key operations
The documentation has more information:
| Subject | Section |
|---|---|
| API changes | https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html#v0-10-0 |
| BGPSec | https://krill.docs.nlnetlabs.nl/en/stable/cli.html#krillc-bgpsec |
| HSM support | https://krill.docs.nlnetlabs.nl/en/stable/hsm.html |
Besides these major features we added a number of small improvements and bug fixes:
- CRL revocation dates in the future #788
- Prevent that two krill instances modify the same data #829
- Let user force RRDP session reset on restore #828
- Various code improvements aimed at maintainability
- Using a jitter of 0 results in a panic #859
- Security fixes in KMIP dependencies #860 (HSM support)
- Add SSLKEYLOGFILE support #615
- Allow explicit disabling of HTTPS #913
The full list of changes can be found here:
https://github.com/NLnetLabs/krill/projects/19
All Types
This bug-fix release fixes two issues found in Release 0.10.1:
- Include empty resource type attributes in Resource Class List Responses #925
- Do not skip migration of Krill 0.9.0 Publication Server #928
And the following issue resolved in 0.10.1:
- Accept Krill <0.10.0 XML files used in the set up of a CA #922
Other than that this release introduces no changes compared to Krill 0.10.0 'Hush'. For convenience will repeat the release notes here. The Krill 0.10.x series introduces the following major features:
- BGPSec Router Certificate Signing
- Support the use of Hardware Security Modules (HSMs) for key operations
The documentation has more information:
| Subject | Section |
|---|---|
| API changes | https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html#v0-10-0 |
| BGPSec | https://krill.docs.nlnetlabs.nl/en/stable/cli.html#krillc-bgpsec |
| HSM support | https://krill.docs.nlnetlabs.nl/en/stable/hsm.html |
Besides these major features we added a number of small improvements and bug fixes:
- CRL revocation dates in the future #788
- Prevent that two krill instances modify the same data #829
- Let user force RRDP session reset on restore #828
- Various code improvements aimed at maintainability
- Using a jitter of 0 results in a panic #859
- Security fixes in KMIP dependencies #860 (HSM support)
- Add SSLKEYLOGFILE support #615
- Allow explicit disabling of HTTPS #913
The full list of changes can be found here:
https://github.com/NLnetLabs/krill/projects/19
Slash
This bug-fix release ensures that XML files used in the set up of a CA, which were generated by pre 0.10.0 Krill versions can be used. See issue #922
Other than that this release introduces no changes compared to Krill 0.10.0 'Hush'. For convenience will repeat the release notes here. The Krill 0.10.x series introduces the following major features:
- BGPSec Router Certificate Signing
- Support the use of Hardware Security Modules (HSMs) for key operations
The documentation has more information:
| Subject | Section |
|---|---|
| API changes | https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html#v0-10-0 |
| BGPSec | https://krill.docs.nlnetlabs.nl/en/stable/cli.html#krillc-bgpsec |
| HSM support | https://krill.docs.nlnetlabs.nl/en/stable/hsm.html |
Besides these major features we added a number of small improvements and bug fixes:
- CRL revocation dates in the future #788
- Prevent that two krill instances modify the same data #829
- Let user force RRDP session reset on restore #828
- Various code improvements aimed at maintainability
- Using a jitter of 0 results in a panic #859
- Security fixes in KMIP dependencies #860 (HSM support)
- Add SSLKEYLOGFILE support #615
- Allow explicit disabling of HTTPS #913
The full list of changes can be found here:
https://github.com/NLnetLabs/krill/projects/19
Hush
In this release we introduce the following major features:
- BGPSec Router Certificate Signing
- Support the use of Hardware Security Modules (HSMs) for key operations
The documentation has more information:
| Subject | Section |
|---|---|
| API changes | https://krill.docs.nlnetlabs.nl/en/stable/upgrade.html#v0-10-0 |
| BGPSec | https://krill.docs.nlnetlabs.nl/en/stable/cli.html#krillc-bgpsec |
| HSM support | https://krill.docs.nlnetlabs.nl/en/stable/hsm.html |
Besides these major features we added a number of small improvements and bug fixes:
- CRL revocation dates in the future #788
- Prevent that two krill instances modify the same data #829
- Let user force RRDP session reset on restore #828
- Various code improvements aimed at maintainability
- Using a jitter of 0 results in a panic #859
- Security fixes in KMIP dependencies #860 (HSM support)
- Add SSLKEYLOGFILE support #615
- Allow explicit disabling of HTTPS #913
The full list of changes can be found here:
https://github.com/NLnetLabs/krill/projects/19
Newer ROAs Please
This release fixes an issue (#833) introduced in 0.9.5 where the background job to automatically renew ROAs was not added to Krill's task queue on startup. Thanks to @ydahhrk for finding this issue!
All users who upgraded to 0.9.5 are advised to upgrade to this version as soon as possible. Not doing so can lead to ROAs expiring and becoming invalid. If you did not upgrade to 0.9.5 you are not affected by this issue.
This release contains no other changes.
Contributors
Assets 2
Have You considered these Upgrades?
This release is primarily intended to improve support for migrations of pre-0.9.0 installations. The upgrade code has been separated more cleanly into a step where the new 0.9.0 data structures are prepared in a new directory first, and a second step where this new data is made active and the old data is archived. Earlier versions of krill were performing data migrations in-place.
If you simply upgrade krill and restart it, then it will automatically execute both steps. If the preparation step should fail, then the original data remains unchanged. You can then downgrade back to your previous krill version. This is in itself is an improvement over 0.9.4 and earlier, because for those versions you would have to make a back-up of your data first, and restore it in order to revert your upgrade.
Furthermore, we have now added a new command line tool called 'krillup', which can be installed and upgraded separately to krill itself. This new tool can be used to execute the krill migration preparation step only. Meaning, you can install this tool on your server and do all the preparations, and only then upgrade krill.
This has the following advantages:
- The downtime for data migrations is reduced for servers with lots of data
- If the preparation fails, there is no need to revert a krill update
In addition to this we have also made some changes to the CA parent refresh logic. Krill CAs were checking their entitlements with their parents every 10 minutes, and this causes too much load on parent CAs with many children. There should be no need to check this often. CAs will now check every 24 to 36 hours, using a random spread. This will decrease the load on parent CAs significantly.
Note that you can always force a 'parent refresh' sooner through the UI or command line (krillc bulk refresh). You may want to use this if your parent informs you through other channels that your resources have changed - e.g. you were allocated a new prefix.
Secondly, because the next synchronisation time is now difficult to predict in the code that reports the parent status - it is now no longer shown in the UI/API. We may add this back in a future release. See issue #807.
You can read more about this upgrade process here.
In addition to this we added a few other quick fixes in this release:
- Make RRDP session reset manual option #793
- Improve http connection error reporting #776
- Fix deserialization bug for CAs with children #774
- Connect to local parent directly #791
- Do not sign/validate RFC6492 messages to/from local parent #797
- Use per CA locking for CA statuses #795
- Decrease CA update frequency and use jitter to spread load #802
- Accept missing tag in RFC8181 #809
- Improve efficiency of connection status tracking #811
- Do not resync CAs with repo on startup if there are too many #818
The full list of changes can be found here
One shall be the number thou shalt count from
This release fixes the following issues:
The first addresses a non-critical bug found when running Krill as a Publication Server present in all Krill versions before this release.
The second addresses an issue seen in Krill 0.7.3 running with 100s of CAs in a single Krill instance - such timeouts have not been seen in Krill 0.9.x - but it does not hurt to give operators control over this configuration.
If you are using Krill for RPKI CA functions only, and you have already upgraded to version 0.9.3 then there is no immediate need to upgrade to this version. If you are running a version from before 0.9.3, then you are still advised to upgrade to this version for the reasons list under version 0.9.3.
Thundering Herd
This release includes the following features and fixes:
- Prevent a thundering herd of hosted CAs publishing at the same time (#692)
- Re-issue ROAs to ensure that short EE subject names are used (#700)
- Handle rate limits when updating parents (#680)
- Support experimental ASPA objects through CLI (#685)
Note that ASPA objects are not intended for use in production environments just yet. We have added experimental support for this to support the development of the ASPA standards in the IETF. In order to use this from the CLI you will need to build krill using cargo --features aspa. More information on how to use Krill to manage ASPA objects can be found here.
The full list of changes can be found here.
Motive and Opportunity
This release includes two features aimed at users who run a Krill CA to maintain ROAs:
- Warn about ROA configurations for resources no longer held #602
- Re-enable migration of CA content to a new Publication Server #480
In addition to this we have added a lot of smaller improvements:
- Synchronize the manifest EE lifetime and next update time #589
- Improve error reporting on I/O errors #587
- Add rsync URI to testbed TAL #624
- Improve status reporting and monitoring #651, #650, #648
The following features were added to support users who operate Krill as a parent
CA, or Publication Server:
- Optionally suspend inactive child CAs using krill 0.9.2 and up #670
- Perform RRDP session reset on restart #533
- Use unguessable URIs for RRDP deltas and snapshots #515
The updated documentation for this release can be found here:
https://krill.docs.nlnetlabs.nl/en/0.9.2/index.html
The full list of changes can be found here:
https://github.com/NLnetLabs/krill/projects/16
All for One
This release fixes an issue where the Publication Server would lock up (#606). Users who do not use Krill to operate their own Publication Server do not need to upgrade to this release.
This locking issue was cause by slow deserialisation of the repository content. It primarily affected large repositories because more content makes this process slower, and having more publishers who publish regularly means it is triggered more frequently.