RFC Errata
RFC 8182, "The RPKI Repository Delta Protocol (RRDP)", July 2017
Source of RFC: sidr (rtg)
Errata ID: 6919
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: Ties de Kock
Date Reported: 2022-04-04
Held for Document Update by: Alvaro Retana
Date Held: 2022-04-18
Section 3.4.2 says:
o When a Relying Party encounters a "withdraw" element, or a "publish" element where an object is replaced, in a delta that it retrieves from a Repository Server, it MUST verify that the object to be withdrawn or replaced was retrieved from this same Repository Server before applying the appropriate action. Failing to do so will leave the Relying Party vulnerable to malicious Repository Servers instructing it to delete or change arbitrary objects.
It should say:
o When a Relying Party encounters a "withdraw" element, or a "publish" element where an object is replaced, in a delta that it retrieves from a Repository Server, it MUST verify that the object to be withdrawn or replaced was retrieved from this same Repository Server before applying the appropriate action. Failing to do so will leave the Relying Party vulnerable to malicious Repository Servers instructing it to delete or change arbitrary objects. o For a "publish" or "withdraw" element, the hash MUST be present if the publication operation is overwriting an existing object, and it MUST NOT be present if this publication operation is writing to a new URI where no prior object exists. Presence of an object when no "hash" attribute has been specified is an error, as is absence of an object or an incorrect hash value when a "hash" attribute has been specified. In this situation this file MUST be rejected.
Notes:
Text taken from RFC8181. For <publish> elements in RRDP deltas, the same process described in RFC8181 applies; "the hash of a publish MUST match to overwrite the existing file"
(This gap in the specification was independently spotted by C.J. around the same time)