On Sun, Sep 19, 2021 at 12:38:28PM +0200, Job Snijders wrote:
The OpenBSD RPKI validator (which can generate BIRD config snippets!) calculates the "transitive expiration moment". This is the 'nearest' moment a given ROA no longer should be considered when validating BGP routes. Every RPKI CA periodically refreshes/resigns data related to their ROAs, so every time the validation process runs, it'll output updated expiration moments: under normal circumstances ROAs don't drop out of the rotation because of expiration.
To better illustrate the feature request, I'm now generating a new BIRD2 config snippet once an hour at this URL: http://kiera.meerval.net/bird.roa.conf.txt I've modified this rpki-client's instance to also emit the expires %lld. Each RPKI entry now contains an 'expires' timestamp as seconds since epoch, which signifies the "do not use after" date. Nobody wants to drink expired milk! :-) Imagine a workflow where someone put in crontab: wget -O /etc/bird/rpki.conf http://kiera.meerval.net/bird.roa.conf.txt birdc configure and in their /etc/bird/bird.conf a line like include "rpki.conf"; Now, if the kiera.meerval.net service would disappear for one reason or another, the BGP daemon won't receive new RPKI ROA information. In that scenario, having BIRD check every few minutes whether any ROAs it previously loaded by now have expired, can be very helpful! Kind regards, Job