Dear list,
Unfortunately we found another uncaught issue in Krill 0.10.x.
Please do not upgrade to 0.10.0 or 0.10.1 if you delegate to any child CAs.
If you do not delegate to child CAs then this issue does not affect you.
It turns out that in our migration of RFC 6492 code from krill into the rpki-rs
library a mistake was made and the "resource_set_*" attributes in Resource
Class List Responses (section 3.3.2 of RFC 6492) became treated as optional.
I.e. they are omitted in case a child is not entitled to a certain resource
type. However, the attributes must always be included albeit using an empty
string "" in such cases.
In our tests our krill 0.10.x child CAs treated these missing attributes the
same as an empty attribute (""), so unfortunately this regression was not
caught by our tests.
We will have a fix for this asap.
Our apologies for the inconvenience,
On behalf of the NLnet Labs RPKI Team,
Tim
--
RPKI mailing list
[email protected]
https://lists.nlnetlabs.nl/mailman/listinfo/rpki
