On Mon, Apr 13, 2020 at 02:43:27PM +0000, Job Snijders wrote: > Hi, > > I'm reviewing some of the timers associated with the workings of the > end-to-end propagation from ROA to VRP. I think suggesting to run > rpki-client only once a day can make for needless brittleness. > > Running rpki-client just once a day also results in only making a rsync > fetch attempt once a day. If the connection can't be established because > of a transient network issue, the RP can easily end up going without > contact with the CA Publication Point for close to 48 hours. A lot of > CRLs appear to have expiration dates in the range of '24 hours'. > > I think attempting to contact a CA PP at least once an hour is more > appropriate for the various 24-48h sliding windows that are in play. > > Thoughts? OK? > > Kind regards, > > Job > > Index: crontab > =================================================================== > RCS file: /cvs/src/etc/crontab,v > retrieving revision 1.25 > diff -u -p -r1.25 crontab > --- crontab 4 Dec 2019 15:07:51 -0000 1.25 > +++ crontab 13 Apr 2020 14:34:45 -0000 > @@ -19,4 +19,4 @@ HOME=/var/log > 30 5 1 * * /bin/sh /etc/monthly > #0 * * * * sleep $((RANDOM \% 2048)) && > /usr/libexec/spamd-setup > > -#0 9 * * * -n sleep $((RANDOM \% 4096)) && > rpki-client -v && bgpctl reload > +#0 * * * * -n sleep $((RANDOM \% 4096)) && > rpki-client -v && bgpctl reload >
I personally run rpki-client every hour and that works very well for me. I do not use the sleep RANDOM thing because I prefer to have rpki-client run always at the same interval (1h) and I just selected a random minute in the hour. -- :wq Claudio
