search

NLnetLabs / krill-sync

A tool to synchronize an RRDP and/or Rsync server with a "hidden" remote RFC 8182 RRDP publication point.
https://nlnetlabs.nl/rpki/
BSD 3-Clause "New" or "Revised" License
16 stars 7 forks source link

Support notification file name choices #41

Closed timbru closed 11 months ago

timbru commented 3 years ago

Currently krill-sync supports getting any notification file from a given URI, but it uses notification.xml when writing the file. It should use the filename given in the URI instead.

Note: this is not an issue for current known users, but it would be an issue when trying to use krill-sync with some non-krill rpki publication server implementations.

ties commented 3 years ago

This probably partially overlaps with #36 in that there is a difference between the original inputs and what krill-sync writes.

For example, right now, krill-sync also writes standard (iirc /<revision>/delta.xml) when the input has an unpredictable name (e.g. <delta serial="1089" uri="https://rrdp.example.org/931aeac6-db34-8053-d706-e52a3485848d/1089/delta-cee8tafmvuriaxcyohw3.xml" hash="9480612217a82d2acd458f03c8630a15d8b085c8e49870d66c5b3fe81985dcfa"/>).

For my use case it is fine that krill-sync rewrites filenames and is not a pure proxy.

timbru commented 3 years ago

Right, good point. It would also be good if the delta and snapshot filenames and paths were preserved.

This should be doable as long as we can insist that they appear under the URI for the notification file itself - i.e. no other hostnames and stay in the jail. This way we can have some sanity regarding where things go on disk and how to expose them through an https server.

I expect that this restriction is not a problem for known implementations.

ties commented 3 years ago

This should be doable as long as we can insist that they appear under the URI for the notification file itself - i.e. no other hostnames and stay in the jail. This way we can have some sanity regarding where things go on disk and how to expose them through an https server.

I expect that this restriction is not a problem for known implementations.

I think that restricting it to a configured set of hostname is good. I'm not aware of any RRDP implementation currently writing to object storage (and hosting notification.xml outside it) but it feels like a valid use case.

timbru commented 11 months ago

Closing this. I am unsure when this was implemented, but different notification file names are supported. New issues can be made if other work is needed.