[RPKI] Leap year bug - Krill restart required
tim at nlnetlabs.nl
Mon Mar 2 14:33:47 UTC 2020
We recommend that all Krill users:
1) restart their Krill instance.
2) manually trigger republication
You can do this by using the following commands:
krillc bulk publish --server <your-server> --token <your-token>
krillc bulk sync --server <your-server> --token <your-token>
Where --server and --token may be left out if you had set the environment variables KRILL_CLI_SERVER and KRILL_CLI_TOKEN respectively.
3) If you updated your ROAs on Saturday, check that they match your expectations
We found that there was a rather embarrassing bug in the code that signs certificates. The rather naive implementation we had was adding a year to 'today' in certain cases, without checking whether today was in fact a leap day.
As a result Krill would not have been able to modify ROAs on Sat 29 February, and in addition the background job responsible for re-publishing manifests and CRLs (to keep them from going stale) may have crashed. This means that your objects may have become stale, and your ROAs would be seen as invalid. Note that this means that your routes would have appeared as 'not found', rather than 'invalid'.
The issue should not happen again, at least not for another four years, but we are working on fix that will be included in the next release.
We apologise for the inconvenience.
More information about the RPKI