Jay Borkenhagen: > I agree that something is wrong here and a different behavior would be > good, but I don't think we want the folks who operate relying party > software instances configuring their RPs to never again try to > retrieve from certain repositories. We need to make sure that when > the repos eventually do get fixed, that all RPs once again will > retrieve from them.
you are right, good point! > Ideally, all CAs would closely and continually watch their children, > letting them know promptly when there are any problems including the > complete inability to retrieve as we see now. Several folks have been > in contact with APNIC, who acknowledges the problems with cnnic.cn > (longstanding) and twnic.tw (more recent). As of earlier today, APNIC > seems optimistic that these situations will both improve in the coming > days. Let's wait and see. that is great news, can we follow that progress somewhere? > Probably a better behavior for rpki-validator-3 to take to avoid > needlessly filling up logs, etc., with failed attempts would be to > back off when re-trying unreachable repos. If a normally-reachable > repo suddenly goes quiet, re-try a few times as normal, but then > gradually increase the time until the next attempt, up to some maximum > interval -- possibly several hours. yes, this sounds reasonable. kind regards, nusenu -- https://twitter.com/nusenu_ https://mastodon.social/@nusenu
signature.asc
Description: OpenPGP digital signature
