-c path, --config=path

Provides the path to a file containing basic configuration. If this option is not given, Routinator will try to use $HOME/.routinator.conf if that exists. If that doesn't exist, either, default values for the options as described here are used.

See CONFIGURATION FILE below for more information on the format and contents of the configuration file.

-b dir, --base-dir=dir

Specifies the base directory to keep status information in. Unless overwritten by the -r or -t options, the local repository will be kept in the sub-directory repository and the TALs will be kept in the sub-directory tals.

If omitted, the base directory defaults to $HOME/.rpki-cache.

-r dir, --repository-dir=dir

Specifies the directory to keep the local repository in. This is the place where Routinator stores the RPKI data it has collected and thus is a copy of all the data referenced via the trust anchors.

-t dir, --tal-dir=dir

Specifies the directory containing the trust anchor locators (TALs) to use. Trust anchor locators are the starting points for collecting and validating RPKI data. See TRUST ANCHOR LOCATORS for more information on what should be present in this directory.

-x file, --exceptions=file

Provides the path to a local exceptions file. The option can be used multiple times to specify more than one file to use. Each file is a JSON file as described in RFC 8416. It lists both route origins that should be filtered out of the output as well as origins that should be added.

--strict

If this option is present, the repository will be validated in strict mode following the requirements laid out by the standard documents very closely. With the current RPKI repository, using this option will lead to a rather large amount of invalid route origins and should therefore not be used in practice.

See RELAXED DECODING below for more information.

--stale=policy

This option defines how deal with stale objects. In RPKI, manifests and CRLs can be stale if the time given in their next-update field is in the past, indicating that an update to the object was scheduled but didn't happen. This can be because of an operational issue at the issuer or an attacker trying to replay old objects.

There are three possible policies that define how Routinator should treat stale objects.

A policy of reject instructs Routinator to consider all stale objects invalid. This will result in all material published by the CA issuing this manifest and CRL to be invalid including all material of any child CA.

The warn policy will allow Routinator to consider any stale object to be valid. It will, however, print a warning in the log allowing an operator to follow up on the issue.

Finally, the accept policy will cause Routinator to quietly accept any stale object as valid.

In Routinator 0.8.0 and newer, reject is the default policy if the option is not provided. In version 0.7.0 the default for this option was warn. In all previous versions warn was hard-wired.

--unsafe-vrps=policy

This option defines how to deal with "unsafe VRPs." If the address prefix of a VRP overlaps with any resources assigned to a CA that has been rejected because if failed to validate completely, the VRP is said to be unsafe since using it may lead to legitimate routes being flagged as RPKI invalid.

There are three options how to deal with unsafe VRPs:

A policy of reject will filter out these VRPs. Warnings will be logged to indicate which VRPs have been filtered

The warn policy will log warnings for unsafe VRPs but will add them to the valid VRPs.

Finally, the accept policy will quietly add unsafe VRPs to the valid VRPs.

Currently, the default policy is warn in order to gain operational experience with the frequency and impact of unsafe VRPs. This default may change in future versions.

For more information on the process of validation implemented in Routinator, see the section VALIDATION below.

--unknown-objects=policy

Defines how to deal with unknown types of RPKI objects. Currently, only certificates (.cer), CRLs (.crl), manifests (.mft), ROAs (.roa), and Ghostbuster Records (.gbr) are allowed to appear in the RPKI repository.

There are, once more, three policies for dealing with an object of any other type:

The reject policy will reject the object as well as the entire CA. Consequently, an unknown object appearing in a CA will mark all other objects issued by the CA as invalid as well.

The policy of warn will log a warning, ignore the object, and accept all known objects issued by the CA.

The similar policy of accept will quietly ignore the object and accept all known objects issued by the CA.

The default policy if the option is missing is warn.

Note that even if unknown objects are accepted, they must appear in the manifest and the hash over their content must match the one given in the manifest. If the hash does not match, the CA and all its objects are still rejected.

--allow-dubious-hosts

As a precaution, Routinator will reject rsync and HTTPS URIs from RPKI data with dubious host names. In particular, it will reject the name localhost, host names that consist of IP addresses, and a host name that contains an explicit port.

This option allows to disable this filtering.

--fresh

Delete and re-initialize the local data storage before starting. This option should be used when Routinator fails after reporting corrupt data storage.

--disable-rsync

If this option is present, rsync is disabled and only RRDP will be used.

--rsync-command=command

Provides the command to run for rsync. This is only the command itself. If you need to provide options to rsync, use the rsync-args configuration file setting instead.

If this option is not given, Routinator will simply run rsync and hope that it is in the path.

--rsync-timeout=seconds

Sets the number of seconds an rsync command is allowed to run before it is terminated early. This protects against hanging rsync commands that prevent Routinator from continuing. The default is 300 seconds which should be long enough except for very slow networks.

--disable-rrdp

If this option is present, RRDP is disabled and only rsync will be used.

--rrdp-fallback-time=seconds

Sets the maximum time in seconds since a last successful update of an RRDP repository before Routinator falls back to using rsync. The default is 3600 seconds. If the given value is smaller than twice the refresh time, it is silently increased to that value.

The actual time is chosen at random between the refresh time and this value in order to spread out load on the rsync server.

--rrdp-max-delta-count=count

If the number of deltas necessary to update an RRDP repository is larger than the value provided by this option, the snapshot is used instead. If the option is missing, the default of 100 is used.

--rrdp-timeout=seconds

Sets the timeout in seconds for any RRDP-related network operation, i.e., connects, reads, and writes. If this option is omitted, the default timeout of 300 seconds is used. Set the option to 0 to disable the timeout.

--rrdp-connect-timeout=seconds

Sets the timeout in seconds for RRDP connect requests. If omitted, the general timeout will be used.

--rrdp-local-addr=addr

If present, sets the local address that the RRDP client should bind to when doing outgoing requests.

--rrdp-root-cert=path

This option provides a path to a file that contains a certificate in PEM encoding that should be used as a trusted certificate for HTTPS server authentication. The option can be given more than once.

Providing this option does not disable the set of regular HTTPS authentication trust certificates.

--rrdp-proxy=uri

This option provides the URI of a proxy to use for all HTTP connections made by the RRDP client. It can be either an HTTP or a SOCKS URI. The option can be given multiple times in which case proxies are tried in the given order.

--rrdp-keep-responses=path

If this option is enabled, the bodies of all HTTPS responses received from RRDP servers will be stored under path. The sub-path will be constructed using the components of the requested URI. For the responses to the notification files, the timestamp is appended to the path to make it possible to distinguish the series of requests made over time.

--max-object-size=BYTES

Limits the size of individual objects received via either rsync or RRDP to the given number of bytes. The default value if this option is not present is 20,000,000 (i.e., 20 MBytes). Use a value of 0 to disable the limit.

--max-ca-depth=count

The maximum number of CAs a given CA may be away from a trust anchor certificate before it is rejected. The default value is 32.

--enable-bgpsec

If this option is present, BGPsec router keys will be processed during validation and included in the produced data set.

--dirty

If this option is present, unused files and directories will not be deleted from the repository directory after each validation run.

--validation-threads=count

Sets the number of threads to distribute work to for validation. Note that the current processing model validates trust anchors all in one go, so you are likely to see less than that number of threads used throughout the validation run.

-v, --verbose

Print more information. If given twice, even more information is printed.

More specifically, a single -v increases the log level from the default of warn to info, specifying it more than once increases it to debug.

See LOGGING below for more information on what information is logged at the different levels.

-q, --quiet

Print less information. Given twice, print nothing at all.

A single -q will drop the log level to error. Repeating -q more than once turns logging off completely.

--syslog

Redirect logging output to syslog.

This option is implied if a command is used that causes Routinator to run in daemon mode.

--syslog-facility=facility

If logging to syslog is used, this option can be used to specify the syslog facility to use. The default is daemon.

--logfile=path

Redirect logging output to the given file.

-h, --help

Print some help information.

-V, --version

Print version information.

init

Prepares the local repository directories and the TAL directory for running Routinator. Specifically, makes sure the local repository directory exists, and creates the TAL directory and fills it with the desired TALs.

For more information about TALs, see TRUST ANCHOR LOCATORS below.

vrps

This command requests that Routinator update the local repository and then validate the Route Origin Attestations in the repository and output the valid route origins, which are also known as Validated ROA Payloads or VRPs, as a list.

validate

This command can be used to perform RPKI route origin validation for one or more route announcements. Routinator will determine whether the provided announcements are RPKI valid, invalid, or not found.

A single route announcement can be given directly on the command line:

Alternatively, a list of route announcements can be read from a file or standard input.

The following additional options are available independently of the input method.

server

This command causes Routinator to act as a server for the RPKI-to-Router (RTR) and HTTP protocols. In this mode, Routinator will read all the TALs (See TRUST ANCHOR LOCATORS below) and will stay attached to the terminal unless the -d option is given.

The server will periodically update the local repository, every ten minutes by default, notify any clients of changes, and let them fetch validated data. It will not, however, reread the trust anchor locators. Thus, if you update them, you will have to restart Routinator.

You can provide a number of addresses and ports to listen on for RTR and HTTP through command line options or their configuration file equivalent. Currently, Routinator will only start listening on these ports after an initial validation run has finished.

It will not listen on any sockets unless explicitly specified. It will still run and periodically update the repository. This might be useful for use with vrps mode with the -n option.

update

Updates the local repository by resyncing all known publication points. The command will also validate the updated repository to discover any new publication points that appear in the repository and fetch their data.

As such, the command really is a shortcut for running routinator vrps -f none.

dump

Writes the content of all stored data to the file system. This is primarily intended for debugging but can be used to get access to the view of the RPKI data that Routinator currently sees.

Three directories will be created in the output directory:

The rrdp directory will contain all the files collected via RRDP from the various repositories. Each repository is stored in its own directory. The mapping between rpkiNotify URI and path is provided in the repositories.json file. For each repository, the files are stored in a directory structure based on the components of the file as rsync URI.

The rsync directory contains all the files collected via rsync. The files are stored in a directory structure based on the components of the file's rsync URI.

The store directory contains all the files used for validation. Files collected via RRDP or rsync are copied to the store if they are correctly referenced by a valid manifest. This part contains one directory for each RRDP repository similarly structured to the rrdp directory and one additional directory rsync that contains files collected via rsync.

man

Displays the manual page, i.e., this page.

repository-dir

A string containing the path to the directory to store the local repository in. This entry is mandatory.

tal-dir

A string containing the path to the directory that contains the Trust Anchor Locators. This entry is mandatory.

exceptions

A list of strings, each containing the path to a file with local exceptions. If missing, no local exception files are used.

strict

A boolean specifying whether strict validation should be employed. If missing, strict validation will not be used.

stale

A string specifying the policy for dealing with stale objects.

unsafe-vrps

A string specifying the policy for dealing with unsafe VRPs.

unknown-objects

A string specifying the policy for dealing with unknown RPKI object types.

allow-dubious-hosts

A boolean value that, if present and true, disables Routinator's filtering of dubious host names in rsync and HTTPS URIs from RPKI data.

disable-rsync

A boolean value that, if present and true, turns off the use of rsync.

rsync-command

A string specifying the command to use for running rsync. The default is simply rsync.

rsync-args

A list of strings containing the arguments to be passed to the rsync command. Each string is an argument of its own.

If this option is not provided, Routinator will try to find out if your rsync understands the --contimeout option and, if so, will set it to 10 thus letting connection attempts time out after ten seconds. If your rsync is too old to support this option, no arguments are used.

rsync-timeout

An integer value specifying the number seconds an rsync command is allowed to run before it is being terminated. The default if the value is missing is 300 seconds.

disable-rrdp

A boolean value that, if present and true, turns off the use of RRDP.

rrdp-fallback-time

An integer value specifying the maximum number of seconds since a last successful update of an RRDP repository before Routinator falls back to using rsync. The default in case the value is missing is 3600 seconds. If the value provided is smaller than twice the refresh time, it is silently increased to that value.

rrdp-max-delta-count

An integer value that specifies the maximum number of deltas necessary to update an RRDP repository before using the snapshot instead. If the value is missing, the default of 100 is used.

rrdp-timeout

An integer value that provides a timeout in seconds for all individual RRDP-related network operations, i.e., connects, reads, and writes. If the value is missing, a default timeout of 300 seconds will be used. Set the value to 0 to turn the timeout off.

rrdp-connect-timeout

An integer value that, if present, sets a separate timeout in seconds for RRDP connect requests only.

rrdp-local-addr

A string value that provides the local address to be used by RRDP connections.

rrdp-root-certs

A list of strings each providing a path to a file containing a trust anchor certificate for HTTPS authentication of RRDP connections. In addition to the certificates provided via this option, the system's own trust store is used.

rrdp-proxies

A list of string each providing the URI for a proxy for outgoing RRDP connections. The proxies are tried in order for each request. HTTP and SOCKS5 proxies are supported.

rrdp-keep-responses

A string containing a path to a directory into which the bodies of all HTTPS responses received from RRDP servers will be stored. The sub-path will be constructed using the components of the requested URI. For the responses to the notification files, the timestamp is appended to the path to make it possible to distinguish the series of requests made over time.

max-object-size

An integer value that provides a limit for the size of individual objects received via either rsync or RRDP to the given number of bytes. The default value if this option is not present is 20,000,000 (i.e., 20 MBytes). A value of 0 disables the limit.

max-ca-depth

An integer value that specifies the maximum number of CAs a given CA may be away from a trust anchor certificate before it is rejected. If the option is missing, a default of 32 will be used.

enable-bgpsec

A boolean value specifying whether BGPsec router keys should be included in the published dataset. If false or missing, no router keys will be included.

dirty

A boolean value which, if true, specifies that unused files and directories should not be deleted from the repository directory after each validation run. If left out, its value will be false and unused files will be deleted.

validation-threads

An integer value specifying the number of threads to be used during validation of the repository. If this value is missing, the number of CPUs in the system is used.

log-level

A string value specifying the maximum log level for which log messages should be emitted. The default is warn.

See LOGGING below for more information on what information is logged at the different levels.

log

A string specifying where to send log messages to. This can be one of the following values:

The default if this value is missing is, unsurprisingly, default.

log-file

A string value containing the path to a file to which log messages will be appended if the log configuration value is set to file. In this case, the value is mandatory.

syslog-facility

A string value specifying the syslog facility to use for logging to syslog. The default value if this entry is missing is daemon.

rtr-listen

An array of string values each providing an address and port on which the RTR server should listen in TCP mode. Address and port should be separated by a colon. IPv6 address should be enclosed in square brackets.

rtr-tls-listen

An array of string values each providing an address and port on which the RTR server should listen in TLS mode. Address and port should be separated by a colon. IPv6 address should be enclosed in square brackets.

http-listen

An array of string values each providing an address and port on which the HTTP server should listene. Address and port should be separated by a colon. IPv6 address should be enclosed in square brackets.

http-tls-listen

An array of string values each providing an address and port on which the HTTP server should listen in TLS mode. Address and port should be separated by a colon. IPv6 address should be enclosed in square brackets.

listen-systemd

The RTR TCP listening socket will be acquired from systemd via socket activation. Use this option together with systemd's socket units to allow Routinator running as a regular user to bind to the default RTR port 323.

rtr-tcp-keepalive

An integer value specifying the number of seconds to wait before sending a TCP keepalive on an established RTR connection. If this option is missing, TCP keepalive will be enabled on all RTR connections with an idle time of 60 seconds. If this option is present and set to zero, TCP keepalives are disabled.

rtr-client-metrics

A boolean value specifying whether server metrics should include separate metrics for every RTR client. If the value is missing, no RTR client metrics will be provided.

rtr-tls-key

A string value providing the path to a file containing the private key to be used by the RTR server in TLS mode. The file must contain one private key in PEM format.

rtr-tls-cert

A string value providing the path to a file containing the server certificates to be used by the RTR server in TLS mode. The file must contain one or more certificates in PEM format.

http-tls-key

A string value providing the path to a file containing the private key to be used by the HTTP server in TLS mode. The file must contain one private key in PEM format.

http-tls-cert

A string value providing the path to a file containing the server certificates to be used by the HTTP server in TLS mode. The file must contain one or more certificates in PEM format.

refresh

An integer value specifying the number of seconds Routinator should wait between consecutive validation runs in server mode. The next validation run will happen earlier, if objects expire earlier. The default is 600 seconds.

retry

An integer value specifying the number of seconds an RTR client is requested to wait after it failed to receive a data set. The default is 600 seconds.

expire

An integer value specifying the number of seconds an RTR client is requested to use a data set if it cannot get an update before throwing it away and continuing with no data at all. The default is 7200 seconds if it cannot get an update before throwing it away and continuing with no data at all. The default is 7200 seconds.

history-size

An integer value specifying how many change sets Routinator should keep in RTR server mode. The default is 10.

pid-file

A string value containing a path pointing to the PID file to be used in daemon mode.

working-dir

A string value containing a path to the working directory for the daemon process.

chroot

A string value containing the path any daemon process should use as its root directory.

user

A string value containing the user name a daemon process should run as.

group

A string value containing the group name a daemon process should run as.

tal-label

An array containing arrays of two string values mapping the name of a TAL file (without the path but including the extension) as given by the first string to the name of the TAL to be included where the TAL is referenced in output as given by the second string.

If the options missing or if a TAL isn't mentioned in the option, Routinator will construct a name for the TAL by using its file name (without the path) and dropping the extension.

/metrics

Returns a set of monitoring metrics in the format used by Prometheus.

/status

Returns the current status of the Routinator instance. This is similar to the output of the /metrics endpoint but in a more human friendly format.

/api/v1/status

Returns the current status in JSON format.

/log

Returns the logging output of the last validation run. The log level matches that set upon start.

Note that the output is collected after each validation run and is therefore only available after the initial run has concluded.

/version

Returns the version of the Routinator instance.

/api/v1/validity/as-number/prefix

Returns a JSON object describing whether the route announcement given by its origin AS Number and address prefix is RPKI valid, invalid, or not found. The returned object is compatible with that provided by the RIPE NCC RPKI Validator. For more information, see https://ripe.net/support/documentation/developer-documentation/rpki-validator-api

/validity?asn=as-number&prefix=prefix

Same as above but with a more form-friendly calling convention.

/json-delta, /json-delta?session=session&serial=serial

Returns a JSON object with the changes since the dataset version identified by the session and serial query parameters. If a delta cannot be produced from that version, the full data set is returned and the member reset in the object will be set to true. In either case, the members session and serial identify the version of the data set returned and their values should be passed as the query parameters in a future request.

The members announced and withdrawn contain arrays with route origins that have been announced and withdrawn, respectively, since the provided session and serial. If reset is true, the withdrawn member is not present.

error

Information related to events that prevent Routinator from continuing to operate at all as well as all issues related to local configuration even if Routinator will continue to run.

warn

Information about events and data that influences the set of VRPs produced by Routinator. This includes failures to communicate with repository servers, or encountering invalid objects.

info

Information about events and data that could be considered abnormal but do not influence the set of VRPs produced. For example, when filtering of unsafe VRPs is disabled, the unsafe VRPs are logged with this level.

debug

Information about the internal state of Routinator that may be useful for, well, debugging.

SIGUSR1: Reload TALs and restart validation

When receiving SIGUSR1, Routinator will attempt to reload the TALs and, if that succeeds, restart validation. If loading the TALs fails, Routinator will exit.