[routing-wg] RPKI Validator 3: disable fetching from certain repos?

nusenu writes:
 > Hi,
 > 
 > some URLs basically fail all the time (Timeout).
 > 
 > Is there a way to tell validator "stop trying to connect to them"?
 > 
 > https://rpki.cnnic.cn/rrdp/notify.xml: java.util.concurrent.TimeoutException
 > https://rpkica.twnic.tw/rrdp/notify.xml: java.util.concurrent.TimeoutException
 > 
 > this has been reported a while ago:
 > https://github.com/RIPE-NCC/rpki-validator-3/issues/45
 > 
 > kind regards,
 > nusenu
 > 

Hi nusenu,

I agree that something is wrong here and a different behavior would be
good, but I don't think we want the folks who operate relying party
software instances configuring their RPs to never again try to
retrieve from certain repositories.  We need to make sure that when
the repos eventually do get fixed, that all RPs once again will
retrieve from them.

Ideally, all CAs would closely and continually watch their children,
letting them know promptly when there are any problems including the
complete inability to retrieve as we see now.  Several folks have been
in contact with APNIC, who acknowledges the problems with cnnic.cn
(longstanding) and twnic.tw (more recent).  As of earlier today, APNIC
seems optimistic that these situations will both improve in the coming
days.  Let's wait and see.

Probably a better behavior for rpki-validator-3 to take to avoid
needlessly filling up logs, etc., with failed attempts would be to
back off when re-trying unreachable repos.  If a normally-reachable
repo suddenly goes quiet, re-try a few times as normal, but then
gradually increase the time until the next attempt, up to some maximum
interval -- possibly several hours.

Thanks.

						Jay B.