Add changelog for 9.4

rpki-client · Jan 6, 2025 · 98954f4 · 98954f4
1 parent c7aa975
commit 98954f4
Showing 1 changed file with 47 additions and 0 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,50 @@
+Version 9.4 - Jan 7th, 2025
+===========================
+
+- rpki-client 9.4 will gradually stop accepting ultra long-lived TA
+  certificates. The utility now warns about TA certificates with an
+  expiry date more than 15 years into the future. After February 2nd,
+  2026, such certificates will be rejected, and from March 3rd 2027
+  onwards, TA certificates with a validity period exceeding 3 years will
+  be rejected. This is done to encourage reasonably frequent reissuance
+  of TA certificates and ensures that changes in the SubjectInfoAccess
+  and Internet Number Resources are propagated to the entire ecosystem.
+  It also strengthens the mitigations for TA replay attacks introduced
+  via the TA tie breaking mechanism. For further background see:
+  https://mailarchive.ietf.org/arch/msg/sidrops/-Y5NfXnGfDbeGOCAFj5xHgU90Zo/
+  https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ta-tiebreaker/
+
+- The generated BIRD config file was reworked. BIRD versions 1.x are no
+  longer supported and the -T option to customize the ROA table name was
+  removed. The config file now includes the ASPA-set by default and is
+  therefore only compatible with BIRD 2.16 and later. If compatibility
+  with older BIRD versions is required, the ASPA-set can be excluded
+  with the -A flag. Operators should delete any remaining bird1v4 and
+  bird1v6 output files.
+
+- Validated ROA payloads from AS0 TALs are by default excluded from the
+  output files as they are not recommended for automatic filtering of
+  BGP routes. This precaution can be overridden with the new -0 flag.
+
+- Various improvements to the ibuf API, including a new reader API
+  which is used to make all message parsing in rpki-client memory safe.
+
+- Warn about gaps in manifest issuance. Such gaps can appear for example
+  if rpki-client isn't run frequently enough, if there are issues with
+  an RFC 8181 publication server or if there is an operational error on
+  the side of the CA.
+
+- Work around a backward compatibility break accidentally introduced
+  in OpenSSL 3.4.0, which resulted in all RPKI signed objects being
+  rejected. Earlier and later versions of OpenSSL are not affected.
+
+- Improved validity period checking in file mode. The product's lifetime
+  and the expiration time of the signature path are now taken into
+  account.
+
+- Better cleanup in case of a fallback from RRDP to RSYNC. In rare
+  circumstances, files were moved to the wrong place in the cache.
+
 Version 9.3 - Sep 19th, 2024
 ============================