From f284e73a913b71bc6fccd609c145e3d9d14dce2f Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Tue, 16 Apr 2013 20:24:08 +0000
Subject: Restrict use of rpkid.self.regen_margin to certificate regeneration,
 sharing a single regeneration interval value between certificates and CRLs
 just doesn't work, and we can infer the CRL regeneration interval from
 crl_interval.  Change default value of regen_margin to something consistent
 with human-time-scale expectations and the GUI's impending expiration warning
 interval.  See #347 and #512.

svn path=/trunk/; revision=5297
---
 rpkid/rpki/irdb/zookeeper.py | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

(limited to 'rpkid/rpki/irdb')

diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py
index 8f884723..bd32caf1 100644
--- a/rpkid/rpki/irdb/zookeeper.py
+++ b/rpkid/rpki/irdb/zookeeper.py
@@ -1139,13 +1139,23 @@ class Zookeeper(object):
 
     bsc_handle = "bsc"
 
-    # Default values for CRL parameters are low, for testing.  Not
-    # quite as low as they once were, too much expired CRL whining.
+    # A default RPKI CRL cycle time of six hours seems sane.  One
+    # might make a case for a day instead, but we've been running with
+    # six hours for a while now and haven't seen a lot of whining.
 
-    self_crl_interval = self.cfg.getint("self_crl_interval", 6 * 60 * 60,
-                                        section = myrpki_section)
-    self_regen_margin = self.cfg.getint("self_regen_margin", self_crl_interval / 4,
-                                        section = myrpki_section)
+    self_crl_interval = self.cfg.getint("self_crl_interval", 6 * 60 * 60, section = myrpki_section)
+
+    # regen_margin now just controls how long before RPKI certificate
+    # expiration we should regenerate; it used to control the interval
+    # before RPKI CRL staleness at which to regenerate the CRL, but
+    # using the same timer value for both of these is hopeless.
+    #
+    # A default regeneration margin of two weeks gives enough time for
+    # humans to react.  We add a two hour fudge factor in the hope
+    # that this will regenerate certificates just *before* the
+    # companion cron job warns of impending doom.
+
+    self_regen_margin = self.cfg.getint("self_regen_margin", 14 * 24 * 60 * 60 + 2 * 60, section = myrpki_section)
 
     # See what rpkid already has on file for this entity.
 
-- 
cgit v1.2.3