diff options
| author | Rob Austein <sra@hactrn.net> | 2013-04-16 20:24:08 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2013-04-16 20:24:08 +0000 |
| commit | f284e73a913b71bc6fccd609c145e3d9d14dce2f (patch) | |
| tree | 60b9760a01bcdca850d1fe381f719249237e4754 /rpkid/rpki/irdb | |
| parent | 4e9ce1785929656eeef7eb8af270213c8869a1c6 (diff) | |
Restrict use of rpkid.self.regen_margin to certificate regeneration,
sharing a single regeneration interval value between certificates and
CRLs just doesn't work, and we can infer the CRL regeneration interval
from crl_interval. Change default value of regen_margin to something
consistent with human-time-scale expectations and the GUI's impending
expiration warning interval. See #347 and #512.
svn path=/trunk/; revision=5297
Diffstat (limited to 'rpkid/rpki/irdb')
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index 8f884723..bd32caf1 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -1139,13 +1139,23 @@ class Zookeeper(object): bsc_handle = "bsc" - # Default values for CRL parameters are low, for testing. Not - # quite as low as they once were, too much expired CRL whining. + # A default RPKI CRL cycle time of six hours seems sane. One + # might make a case for a day instead, but we've been running with + # six hours for a while now and haven't seen a lot of whining. - self_crl_interval = self.cfg.getint("self_crl_interval", 6 * 60 * 60, - section = myrpki_section) - self_regen_margin = self.cfg.getint("self_regen_margin", self_crl_interval / 4, - section = myrpki_section) + self_crl_interval = self.cfg.getint("self_crl_interval", 6 * 60 * 60, section = myrpki_section) + + # regen_margin now just controls how long before RPKI certificate + # expiration we should regenerate; it used to control the interval + # before RPKI CRL staleness at which to regenerate the CRL, but + # using the same timer value for both of these is hopeless. + # + # A default regeneration margin of two weeks gives enough time for + # humans to react. We add a two hour fudge factor in the hope + # that this will regenerate certificates just *before* the + # companion cron job warns of impending doom. + + self_regen_margin = self.cfg.getint("self_regen_margin", 14 * 24 * 60 * 60 + 2 * 60, section = myrpki_section) # See what rpkid already has on file for this entity. |