From 20d5841a03c8145d704c0a30e8136d5dca3e291e Mon Sep 17 00:00:00 2001 From: Claudio Jeker Date: Thu, 16 Jun 2022 16:09:57 +0000 Subject: RRDP serial numbers should only increase. Warn if the serial number decreases between syncs. On top of this only allow a small window of up to 2 deltas from the current one to consider our cache to be in sync. The number 2 is probably to conservative and should be adjusted once some data points got collected. It seems to happen that CAs restore RRDP snapshots instead of building a fresh snapshot with a new session-id. Which results in rpki-client to ignore the repo until the serial number is bigger again. OK tb@ --- usr.sbin/rpki-client/rrdp_notification.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/usr.sbin/rpki-client/rrdp_notification.c b/usr.sbin/rpki-client/rrdp_notification.c index 84bc953b6e9..016385d7252 100644 --- a/usr.sbin/rpki-client/rrdp_notification.c +++ b/usr.sbin/rpki-client/rrdp_notification.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rrdp_notification.c,v 1.15 2022/05/15 15:00:53 deraadt Exp $ */ +/* $OpenBSD: rrdp_notification.c,v 1.16 2022/06/16 16:09:56 claudio Exp $ */ /* * Copyright (c) 2020 Nils Fisher * Copyright (c) 2021 Claudio Jeker @@ -383,8 +383,13 @@ notification_done(struct notification_xml *nxml, char *last_mod) if (nxml->repository->serial == 0) goto snapshot; - /* if our serial is equal or bigger, the repo is up to date */ - if (nxml->repository->serial >= nxml->serial) { + if (nxml->repository->serial > nxml->serial) + warnx("%s: serial number decreased from %lld to %lld", + nxml->notifyuri, nxml->repository->serial, nxml->serial); + + /* if our serial is equal or plus 2, the repo is up to date */ + if (nxml->repository->serial >= nxml->serial && + nxml->repository->serial - nxml->serial <= 2) { nxml->current->serial = nxml->repository->serial; return NOTIFICATION; } -- cgit v1.2.3