search

NLnetLabs / routinator

An RPKI Validator and RTR server written in Rust
https://nlnetlabs.nl/projects/routing/routinator/
BSD 3-Clause "New" or "Revised" License
455 stars 70 forks source link

Trust Anchor issue if not available on initial validation #454

Closed ijg00 closed 2 years ago

ijg00 commented 3 years ago

Experienced an issue with the LACNIC Trust Anchor not being available on initial validation:

Jan 28 19:09:46 routinator routinator[13494]: rsyncing from rsync://repository.lacnic.net/rpki/.
Jan 28 19:09:46 routinator routinator[13494]: rsync://repository.lacnic.net/rpki: Running command "rsync" "--contimeout=10" "--timeout=300" "-rltz" "--delete" "rsync://repository.lacnic.net/rpki/" "/var/lib/routinator/rpki-cache/rsync/repository.lacnic.net/rpki/"
Jan 28 19:09:56 routinator routinator[13494]: rsync://repository.lacnic.net/rpki: failed with status exit code: 35
Jan 28 19:09:56 routinator routinator[13494]: rsync://repository.lacnic.net/rpki: rsync error: timeout waiting for daemon connection (code 35) at socket.c(281) [Receiver=3.1.3]
Jan 28 19:09:56 routinator routinator[13494]: rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer: not found in local repository
Jan 28 19:09:56 routinator routinator[13494]: No valid trust anchor for TAL lacnic

Routinator completed the initial validation and associated entries (e.g. routinator_valid_roas) were missing from the metrics.

Today with no changes LACNIC is responding and it has synced successfully:

Jan 29 10:02:21 routinator routinator[15447]: rsyncing from rsync://repository.lacnic.net/rpki/.
Jan 29 10:02:21 routinator routinator[15447]: rsync://repository.lacnic.net/rpki: Running command "rsync" "--contimeout=10" "--timeout=300" "-rltz" "--delete" "rsync://repository.lacnic.net/rpki/" "/var/lib/routinator/rpki-cache/rsync/repository.lacnic.net/rpki/"
Jan 29 10:02:30 routinator routinator[15447]: rsync://repository.lacnic.net/rpki: successfully completed.
Jan 29 10:02:30 routinator routinator[15447]: Found valid trust anchor rsync://repository.lacnic.net/rpki/lacnic/rta-lacnic-rpki.cer. Processing.

The metrics were still missing and a restart of Routinator was required to include them. A this stage it's unknown if the VRPs were available.

partim commented 3 years ago

I just tested this locally and here both the VRPs and the metrics appeared after the successful run.

First run:

valid-roas-per-tal: ripe=21538 apnic=13396 afrinic=1178 arin=18826

Next run:

valid-roas-per-tal: ripe=21530 apnic=13396 afrinic=1178 arin=18825 lacnic=6319

LACNIC missing from the metrics seems suspicious. Can you check that your /var/lib/routinator/rpki-cache/rsync/repository.lacnic.net/rpki/ actually contains data? Should be about 46M. Also, are there any more messages in the log?