On Thu, Apr 16, 2020 at 05:18:15PM -0600, Theo de Raadt wrote:
> Job Snijders <[email protected]> wrote:
>
> > In cases where rpki-client for some reason ends up taking longer than an
> > hour, the next execution attempt of the command will be skipped. Better
> > to just try again an hour later, this helps avoid concurrent rpki-client
> > processes crossing streams.
>
> Agree. As discussed privately rpki-client has safe output functions,
> but the parallel rsync input phase lacks collision prevention.
>
> > I think 'once an hour' is a reasonable balance between the needs of
> > internet users (the ROAs creators who may depend urgently on an
> > expedient distribution of updated RPKI information); considerations for
> > what the Internet's CA infrastructure realisticly can support; and what
> > network operators are willing to tolerate in churn. We have to hold the
> > throttle open at the right position.
>
> I agree we should try 1 hour.
>
> > +#~ * * * * -s -n rpki-client -v && bgpctl reload
>
> I would prefer if you use -ns rather than the two seperate options.
>
ATM crontab -e validation after edit does not like that.
-Otto
