diff options
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 22 | ||||
| -rw-r--r-- | rpkid/rpki/rpkid_tasks.py | 3 | ||||
| -rw-r--r-- | rpkid/tests/yamlconf.py | 2 | ||||
| -rw-r--r-- | rpkid/tests/yamltest.py | 2 |
4 files changed, 20 insertions, 9 deletions
diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index 8f884723..bd32caf1 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -1139,13 +1139,23 @@ class Zookeeper(object): bsc_handle = "bsc" - # Default values for CRL parameters are low, for testing. Not - # quite as low as they once were, too much expired CRL whining. + # A default RPKI CRL cycle time of six hours seems sane. One + # might make a case for a day instead, but we've been running with + # six hours for a while now and haven't seen a lot of whining. - self_crl_interval = self.cfg.getint("self_crl_interval", 6 * 60 * 60, - section = myrpki_section) - self_regen_margin = self.cfg.getint("self_regen_margin", self_crl_interval / 4, - section = myrpki_section) + self_crl_interval = self.cfg.getint("self_crl_interval", 6 * 60 * 60, section = myrpki_section) + + # regen_margin now just controls how long before RPKI certificate + # expiration we should regenerate; it used to control the interval + # before RPKI CRL staleness at which to regenerate the CRL, but + # using the same timer value for both of these is hopeless. + # + # A default regeneration margin of two weeks gives enough time for + # humans to react. We add a two hour fudge factor in the hope + # that this will regenerate certificates just *before* the + # companion cron job warns of impending doom. + + self_regen_margin = self.cfg.getint("self_regen_margin", 14 * 24 * 60 * 60 + 2 * 60, section = myrpki_section) # See what rpkid already has on file for this entity. diff --git a/rpkid/rpki/rpkid_tasks.py b/rpkid/rpki/rpkid_tasks.py index c77de3ac..5b1874b2 100644 --- a/rpkid/rpki/rpkid_tasks.py +++ b/rpkid/rpki/rpkid_tasks.py @@ -544,7 +544,8 @@ class RegenerateCRLsAndManifestsTask(AbstractTask): rpki.log.debug("Self %s[%d] regenerating CRLs and manifests" % (self.self_handle, self.self_id)) now = rpki.sundial.now() - regen_margin = rpki.sundial.timedelta(seconds = self.regen_margin) + crl_interval = rpki.sundial.timedelta(seconds = self.crl_interval) + regen_margin = max(self.gctx.cron_period * 2, crl_interval / 4) publisher = rpki.rpkid.publication_queue() for parent in self.parents: diff --git a/rpkid/tests/yamlconf.py b/rpkid/tests/yamlconf.py index ac1c3292..b903d716 100644 --- a/rpkid/tests/yamlconf.py +++ b/rpkid/tests/yamlconf.py @@ -128,7 +128,7 @@ class allocation_db(list): self.root = allocation(y, self) assert self.root.is_root if self.root.crl_interval is None: - self.root.crl_interval = 24 * 60 * 60 + self.root.crl_interval = 60 * 60 if self.root.regen_margin is None: self.root.regen_margin = 24 * 60 * 60 if self.root.base.valid_until is None: diff --git a/rpkid/tests/yamltest.py b/rpkid/tests/yamltest.py index ae8a1293..1e9256e3 100644 --- a/rpkid/tests/yamltest.py +++ b/rpkid/tests/yamltest.py @@ -127,7 +127,7 @@ class allocation_db(list): self.root = allocation(yaml, self) assert self.root.is_root if self.root.crl_interval is None: - self.root.crl_interval = 24 * 60 * 60 + self.root.crl_interval = 60 * 60 if self.root.regen_margin is None: self.root.regen_margin = 24 * 60 * 60 if self.root.base.valid_until is None: |