search

NLnetLabs / krill

RPKI Certificate Authority and Publication Server written in Rust
https://nlnetlabs.nl/projects/routing/krill/
Mozilla Public License 2.0
280 stars 37 forks source link

rrdp content not matching XML schema #1180

Closed ties closed 4 weeks ago

ties commented 6 months ago

One of my tools fails to parse RRDP content generated by what I expect is krill. One example delta from nicbr their repository:

<delta xmlns="http://www.ripe.net/rpki/rrdp" version="1" session_id="aa4bfebe-4ea2-44f5-9da7-9492753e8e98" serial="285013">
</delta>

The relaxng schema requires at least one publish or withdraw element

# Delta segment: think DNS IXFR.

start |= element delta {
  attribute version    { version },
  attribute session_id { uuid },
  attribute serial     { serial },
  delta_element+
}

delta_element |= element publish  {
  attribute uri  { uri },
  attribute hash { hash }?,
  base64
}

delta_element |= element withdraw {
  attribute uri  { uri },
  attribute hash { hash }
}
timbru commented 6 months ago

Thank you for reporting this!

I am not quite sure how this happens. As far as I can tell Krill CAs will not send empty RFC 8181 publication deltas to the server, but if this should happen then the Publication Server could produce an empty RRDP delta. I created a PR with a fix for this, but merging and releasing will have to wait until after the holidays at least.

ties commented 5 months ago

By now we see this happening in a test environment where we have automated (API-driven) actions:

2024-01-26T13:14:41.362521000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: pulling from network
2024-01-26T13:14:41.362550000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: downloading 3 deltas (f610c790-8ceb-4711-bddd-938d0b16fa39#54425)
2024-01-26T13:14:41.362583000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: parse failed - empty delta
2024-01-26T13:14:41.362616000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: parse error at line 2: parsing aborted
2024-01-26T13:14:41.362652000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: delta sync failed, fallback to snapshot
2024-01-26T13:14:41.362686000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: loaded from network

My hypothesis is that it is the following scenario:

timbru commented 5 months ago

If this all happens within the timeframe of a single (staged) RRDP update, then that would explain things. The proposed change in this PR should fix it. A test for the scenario could be added.