krill icon indicating copy to clipboard operation
krill copied to clipboard
verified publisher icon NLnetLabs

rrdp content not matching XML schema

Open ties opened this issue 2 years ago • 3 comments

One of my tools fails to parse RRDP content generated by what I expect is krill. One example delta from nicbr their repository:

<delta xmlns="http://www.ripe.net/rpki/rrdp" version="1" session_id="aa4bfebe-4ea2-44f5-9da7-9492753e8e98" serial="285013">
</delta>

The relaxng schema requires at least one publish or withdraw element

# Delta segment: think DNS IXFR.

start |= element delta {
  attribute version    { version },
  attribute session_id { uuid },
  attribute serial     { serial },
  delta_element+
}

delta_element |= element publish  {
  attribute uri  { uri },
  attribute hash { hash }?,
  base64
}

delta_element |= element withdraw {
  attribute uri  { uri },
  attribute hash { hash }
}

ties avatar Dec 22 '23 11:12 ties

Thank you for reporting this!

I am not quite sure how this happens. As far as I can tell Krill CAs will not send empty RFC 8181 publication deltas to the server, but if this should happen then the Publication Server could produce an empty RRDP delta. I created a PR with a fix for this, but merging and releasing will have to wait until after the holidays at least.

timbru avatar Dec 27 '23 19:12 timbru

By now we see this happening in a test environment where we have automated (API-driven) actions:

2024-01-26T13:14:41.362521000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: pulling from network
2024-01-26T13:14:41.362550000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: downloading 3 deltas (f610c790-8ceb-4711-bddd-938d0b16fa39#54425)
2024-01-26T13:14:41.362583000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: parse failed - empty delta
2024-01-26T13:14:41.362616000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: parse error at line 2: parsing aborted
2024-01-26T13:14:41.362652000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: delta sync failed, fallback to snapshot
2024-01-26T13:14:41.362686000Z DEBUG:rpkiclientweb.rpki_client.stderr:rpki-client: https://rrdp.paas.rpki.prepdev.ripe.net/notification.xml: loaded from network

My hypothesis is that it is the following scenario:

  • create cert on parent (other repo)
  • publish mft+crl+whatever
  • revoke ca/delete mft+crl+whatever

ties avatar Jan 26 '24 15:01 ties

If this all happens within the timeframe of a single (staged) RRDP update, then that would explain things. The proposed change in this PR should fix it. A test for the scenario could be added.

timbru avatar Jan 30 '24 09:01 timbru