[RPKI] routinator server not updating?

Havard Eidnes he at uninett.no
Thu Jul 9 11:34:14 UTC 2020


I run a couple of instances of routinator to feed our routers
with RTR, and pull down mostly "the default" set of ROA archives,
including ARIN's.

The documentation for routinator states:

       The server will periodically update the local repository, every ten
       minutes by default, notify any clients of changes, and let them fetch
       validated data.  It will not, however, reread the trust anchor
       locators. Thus, if you update them, you will have to restart

First off, doing rsync with all the remote repositories every 10
minutes sounds quite expensive in terms on the load on those
servers(?), if that was indeed what would happen.

Secondly, the config file documentation says:

              An integer value specifying the number of seconds Routinator
              should wait between consecutive validation runs in server mode.
              The next validation run will happen earlier, if objects expire
              earlier. The default is 600 seconds.

Does it only do re-validation and no actual refresh of the data
from the upstream repositories in this period?  The corresponding
program option has slightly different wording:

              The amount of seconds the server should wait after having
              finished updating and validating the local repository before
              starting to update again. The next update will earlier if
              objects in the repository expire earlier. The default value is
              600 seconds.

I am guessing the difference in wording is not intentional, and
that it is the intention that the local copy of the remote
repositories are kept in sync by periodically refreshing them,
and that no additional manual intervention should be required to
keep the local copy up to date?

However, I have configured the built-in http server to make it
possible to do some monitoring, and it now says (among other

version: routinator/0.7.1
serial: 10
last-update-start-at:  2020-06-16 13:00:06.611424671 UTC
last-update-start-ago: P22DT77524.959437S
last-update-done-at:   2020-06-16 12:50:06.337468507 UTC
last-update-done-ago:  P22DT78125.233393164S
last-update-duration:  PT129.500793946S
valid-roas: 38027

So ... last updated ... 22 days ago?!?  That timing mark
coincides with when the routinator server was last re-started.

My routinator is configured with

repository-dir = "/var/db/rpki-cache/repository"
tal-dir = "/var/db/rpki-cache/tal"
validation-threads = 6
rtr-listen = [ "a.b.c.d:3323" ]
http-listen = [ "a.b.c.d:9556" ]
log = "syslog"
pid-file = "/var/run/routinator.pid"
working-dir = "/var/db/rpki-cache"
user = "daemon"
group = "daemon"

and all files and directories under /var/db/rpki-cache are owned
by "daemon".  Looking at the contents there, the last update time
for the newest files appears to be shortly after routinator was
last restarted.

I start routinator as

  routinator -c <config-file> server --detach

Any ideas why it appears that routinator is not updating the
local copy of the remote repositories after the initial update
after (re)start?

...and while nitpicking (these might be relevant to the above
main question, "why isn't routinator updating?"):

              A boolean value that, if present and true, turns off the use of

Default value?

              A string specifying the command to use for running rsync. The
              default is simply rsync.

Searched for in $PATH?

              A boolean value that, if present and true, turns off the use of

Default value?

(There are lots of other missing default value specifications in
the man page.)


- Håvard

More information about the RPKI mailing list