From 98954f463a60c1aa1f9c0c0de83370558ba452c7 Mon Sep 17 00:00:00 2001 From: Job Snijders Date: Mon, 6 Jan 2025 23:20:05 +0000 Subject: [PATCH] Add changelog for 9.4 --- CHANGELOG | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 57d682a..aa7e086 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,50 @@ +Version 9.4 - Jan 7th, 2025 +=========================== + +- rpki-client 9.4 will gradually stop accepting ultra long-lived TA + certificates. The utility now warns about TA certificates with an + expiry date more than 15 years into the future. After February 2nd, + 2026, such certificates will be rejected, and from March 3rd 2027 + onwards, TA certificates with a validity period exceeding 3 years will + be rejected. This is done to encourage reasonably frequent reissuance + of TA certificates and ensures that changes in the SubjectInfoAccess + and Internet Number Resources are propagated to the entire ecosystem. + It also strengthens the mitigations for TA replay attacks introduced + via the TA tie breaking mechanism. For further background see: + https://mailarchive.ietf.org/arch/msg/sidrops/-Y5NfXnGfDbeGOCAFj5xHgU90Zo/ + https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ta-tiebreaker/ + +- The generated BIRD config file was reworked. BIRD versions 1.x are no + longer supported and the -T option to customize the ROA table name was + removed. The config file now includes the ASPA-set by default and is + therefore only compatible with BIRD 2.16 and later. If compatibility + with older BIRD versions is required, the ASPA-set can be excluded + with the -A flag. Operators should delete any remaining bird1v4 and + bird1v6 output files. + +- Validated ROA payloads from AS0 TALs are by default excluded from the + output files as they are not recommended for automatic filtering of + BGP routes. This precaution can be overridden with the new -0 flag. + +- Various improvements to the ibuf API, including a new reader API + which is used to make all message parsing in rpki-client memory safe. + +- Warn about gaps in manifest issuance. Such gaps can appear for example + if rpki-client isn't run frequently enough, if there are issues with + an RFC 8181 publication server or if there is an operational error on + the side of the CA. + +- Work around a backward compatibility break accidentally introduced + in OpenSSL 3.4.0, which resulted in all RPKI signed objects being + rejected. Earlier and later versions of OpenSSL are not affected. + +- Improved validity period checking in file mode. The product's lifetime + and the expiration time of the signature path are now taken into + account. + +- Better cleanup in case of a fallback from RRDP to RSYNC. In rare + circumstances, files were moved to the wrong place in the cache. + Version 9.3 - Sep 19th, 2024 ============================