[RPKI] Issue with Krill 0.10.x acting as a parent CA

Tim Bruijnzeels tim at nlnetlabs.nl
Fri Sep 9 20:30:06 UTC 2022


Dear list,

Unfortunately we found another uncaught issue in Krill 0.10.x.

Please do not upgrade to 0.10.0 or 0.10.1 if you delegate to any child CAs.

If you do not delegate to child CAs then this issue does not affect you.

It turns out that in our migration of RFC 6492 code from krill into the rpki-rs library a mistake was made and the "resource_set_*" attributes in Resource Class List Responses (section 3.3.2 of RFC 6492) became treated as optional. I.e. they are omitted in case a child is not entitled to a certain resource type. However, the attributes must always be included albeit using an empty string "" in such cases.

In our tests our krill 0.10.x child CAs treated these missing attributes the same as an empty attribute (""), so unfortunately this regression was not caught by our tests.

We will have a fix for this asap.

Our apologies for the inconvenience,

On behalf of the NLnet Labs RPKI Team,

Tim



More information about the RPKI mailing list