DNS broken for hkps.pool.sks-keyservers.net

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

DNS broken for hkps.pool.sks-keyservers.net

Sparr
hkps.pool.sks-keyservers.net does not seem to resolve currently, from public or local or whois-authoritative nameservers.

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Jim Popovitch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
> hkps.pool.sks-keyservers.net does not seem to resolve currently,
> from public or local or whois-authoritative nameservers.

There's also been quite a few DNSSEC validation errors for RSIGs, for some
time now.

http://dnsviz.net/d/sks-keyservers.net/dnssec/

The outage is also mentioned here:

https://lists.gnupg.org/pipermail/gnupg-users/2019-March/061771.html


- -Jim P.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvF0ACgkQdRlcPb+1
fkVFTQ//dgHWZIw4fekFhSCMAFLTkqsy7hdlr1Su4dUJmxFZmwzhs6ZMS4DhvX90
hY9VC2iFwks8SzJGvsr62an89JaybuVbMzlpGLoQ02TctjoiSUdvuDwCCPCJsE21
OZIl9jEIJIeG7xkPk64wqxTm/wM94tUyeI3NNiDfmVBaDnfZNRnpzveFEZ14IF7L
DCUBrr4J5RQtmzEsD4vVLfPFLk1uXLUOK3/35xtfcbHjV9vFQHVh4ClZ1Ui5FrlF
TWpVjP6eM7WFFlA1zF3fkQ/0p5jE1KYKW8vqfmZx2MXC6/hTjHyhetYpk64tfX/v
d4ZNrT615K/GGdl1BbNWHFkQSjqGvKfIi3Sd0S3LYp/vp0CwWZ4V62kGfB+Vkw5g
AfVEk3cUupid7/qyKcKeY/J0s1ZAEUurSCoqakcn1Q2RVgGVeuO5h8WnozpLAxwl
GS6+Q0ll7I4PBELp4NSYywF1NtqZvYUXGDEacdbWEpA0VfZsGaKMOyrKE7VvTXzz
XgW7cwlVjE7COS2nVKOXmew44Suas0vkXrk2GYwfVTXxlQAPV3inYRz91UxRiqBa
0byUv7bNBK1lkU092ZWnQmuc4JBh+dD8ABMdBWaNGPgIknyOo34uEX6V1YUPYHtm
VLIW8cgh+D364mcwp7PL7hfpixPlDRXjgyqQlkFPzD/UC5ahSXk=
=EeDV
-----END PGP SIGNATURE-----


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Jim Popovitch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote:
> On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
> > hkps.pool.sks-keyservers.net does not seem to resolve currently,
> > from public or local or whois-authoritative nameservers.
>
> There's also been quite a few DNSSEC validation errors for RSIGs, for some
> time now.

Sorry, wrong error for that domain.  sks-keyservers.net has EDNS0 issues not
RSIG errors. (DNS Flag Day was last month)

https://ednscomp.isc.org/ednscomp/57d26bc180

- -Jim P.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1
fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S
s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm
H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4
7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy
FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf
MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8
6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX
+3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL
iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y
KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3
26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk=
=cFT6
-----END PGP SIGNATURE-----


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Todd Fleisher
In reply to this post by Jim Popovitch
The GNUPG-users post mentions something that may be the root cause:
The status page for sks-keyservers.net shows no hosts are currently
available via hkps but other ports are available.
https://sks-keyservers.net/status/
I’m speculating here, but if whatever Kristian users to update the DNS for hkps.pool.sks-keyservers.net doesn’t think there are any valid nodes available perhaps it doesn’t publish any records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net & na.pool.sks-keyservers.net & others are still resolving properly I don’t think it’s an EDNS issue.

Adding Kristian directly in case he filters sks-devel mail.

-T

On Mar 18, 2019, at 8:42 AM, Jim Popovitch <[hidden email]> wrote:



_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Daniel Austin-3
In reply to this post by Jim Popovitch
Hi,

All my secondaries (ns.dan.*) should validate fine with EDNS0 packets, so this should be a fairly minimal issue (although one that should still be addressed).

For hkps.pool.sks-keyservers.net, we'll need to wait for Kristian to take a look as it doesn't appear to be in the zonefile at the moment.


Thanks,

Dan.


On Mon, Mar 18, 2019 at 15:47, Jim Popovitch <[hidden email]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, 2019-03-18 at 11:42 -0400, Jim Popovitch wrote:
On Mon, 2019-03-18 at 08:27 -0700, Sparr wrote:
hkps.pool.sks-keyservers.net does not seem to resolve currently,
from public or local or whois-authoritative nameservers.


There's also been quite a few DNSSEC validation errors for RSIGs, for some
time now.


Sorry, wrong error for that domain.  sks-keyservers.net has EDNS0 issues not
RSIG errors. (DNS Flag Day was last month)

https://ednscomp.isc.org/ednscomp/57d26bc180

- -Jim P.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECPbAhaBWEfiXj/kxdRlcPb+1fkUFAlyPvVsACgkQdRlcPb+1
fkXdnw//Xga1uS9YPH/3OoavB26YgQ5vaPHoPNBPggSWK++F9idoSK11+NF5Hg1S
s2rW00zuoQyIIMbJ5Zel582i1ZgP+arfNDMmY7wlhgFf+XIcMIaLsuzZ6SohTbdm
H6P+97KMvLeIaSD6YyWFg+kZV6e/U9HGMUQewECKGKbpvfgu/6jMRKmuSiSq1mQ4
7zUBgCUop8l+bk6kYFim93+Jx764Y+JJtdDJeqJtfiJv2LYYIvJ++PJq7uC6HPIy
FnGxAdoRtZ0ZK1mSwlAkuz2f4mOxIhlW0MJaW5S1X30gFDrIpeMFeTYM1RSn+wbf
MEelNPgunjzI2kosrJ5OeYbgI0eTMOKyvymZt0CIfPDSWnGYlCUirI3kQaFpNJy8
6bCo5dYBj5x6iK1Rx5nzZC4fa0jECONc0XrgNbaIPT6xEd+/dGdzBTMCzeml+LOX
+3Ils4w6Qn6UJPPB925iRd+slxZcMnSUAFSsNMa9fH4u/4XPJtOq/ju4fAhSnUzL
iqaP61WNYb20gtm+CgSd6xka+Eq5ltUkoQY6Ut5IziRItg7SQ7WQruzfW5BL3d+Y
KgcsC1J7KiukaxtmjD6lOZbiLTH7AqVj4RUKJ+5hFMSIkjq+wy2i738wn/ShMkg3
26b5qyQEQ4yy6Eeq93KFJj/vn0kv8IIJd9Xm9FRCYc+bmQ8M6Lk=
=cFT6
-----END PGP SIGNATURE-----

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Kristian Fiskerstrand-6
In reply to this post by Todd Fleisher
On 3/18/19 3:58 PM, Todd Fleisher wrote:
> The GNUPG-users post mentions something that may be the root cause:
> The status page for sks-keyservers.net shows no hosts are currently
> available via hkps but other ports are available.
> https://sks-keyservers.net/status/ <https://sks-keyservers.net/status/>I’m speculating here, but if whatever Kristian users to update the DNS for hkps.pool.sks-keyservers.net <http://hkps.pool.sks-keyservers.net/> doesn’t think there are any valid nodes available perhaps it doesn’t publish any records. This would result in NXDOMAIN. Given that pool.sks-keyservers.net <http://pool.sks-keyservers.net/> & na.pool.sks-keyservers.net <http://na.pool.sks-keyservers.net/> & others are still resolving properly I don’t think it’s an EDNS issue.
>
> Adding Kristian directly in case he filters sks-devel mail.
>

Well, its a simple enough issue. the CRL expired, so no host validated
anymore.. Services should be returning to normal soon enough. Thanks for
the ping.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws


_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Todd Fleisher
Thanks Kristian, looks like it’s resolving now.

-T

> On Mar 18, 2019, at 10:08 AM, Kristian Fiskerstrand <[hidden email]> wrote:
>
> Well, its a simple enough issue. the CRL expired, so no host validated
> anymore.. Services should be returning to normal soon enough. Thanks for
> the ping.




_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DNS broken for hkps.pool.sks-keyservers.net

Jeremy T. Bouse
In reply to this post by Kristian Fiskerstrand-6
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 3/18/2019 1:08 PM, Kristian Fiskerstrand wrote:

> On 3/18/19 3:58 PM, Todd Fleisher wrote:
>> The GNUPG-users post mentions something that may be the root
>> cause: The status page for sks-keyservers.net shows no hosts are
>> currently available via hkps but other ports are available.
>> https://sks-keyservers.net/status/
>> <https://sks-keyservers.net/status/>I’m speculating here, but if
>> whatever Kristian users to update the DNS for
>> hkps.pool.sks-keyservers.net
>> <http://hkps.pool.sks-keyservers.net/> doesn’t think there are
>> any valid nodes available perhaps it doesn’t publish any records.
>> This would result in NXDOMAIN. Given that pool.sks-keyservers.net
>> <http://pool.sks-keyservers.net/> & na.pool.sks-keyservers.net
>> <http://na.pool.sks-keyservers.net/> & others are still resolving
>> properly I don’t think it’s an EDNS issue.
>>
>> Adding Kristian directly in case he filters sks-devel mail.
>>
>
> Well, its a simple enough issue. the CRL expired, so no host
> validated anymore.. Services should be returning to normal soon
> enough. Thanks for the ping.
>

        I had noticed that I was only able to resolve pool.sks-keyserver.net
and not any of the others, but I hadn't said anything as I was busy
putting out some other fires around here. Happy to report I'm seeing
full resolution of all pool hostnames once again though now.
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEakJ0F+CHS9VzhSFg6lYpTv4TPXUFAlyP8vUACgkQ6lYpTv4T
PXUQawv8C4cB1ThpmYmYv5EpPWSUuEK86oDp6vRJmoI0HQRvtZ05/m4+Pn2nHCr/
zrMxWQH56MV2BDQiiKl4UbrsceLu4DFfmG67LcJz8V2yQsFwEHa+Tv7XM9HmIGHS
UcKgclnVnGIcF3NwDBL+xHYZm/P0ipHuSbKf7fSomDeBc5h8/K6iu4n/S3mxm77B
t5m7y8BB395nbTs87GyWQNBUdhl52YkHaj0noSNGQKDP1dBWh3/tgLDk7/2mJAv1
EEASpCN/yvDxHYQxwQ7Kpiljr0SnF0mMaLdljhLoZW67Cj8EF20+7euWtRXfiJe4
t3h+AF3CAljjUzez55K31qRM33SlusMTs4C5mXxbOzFctq5tMVnlgZqqxylZzCfQ
sTEvC8prWYghXbIkeztb9YnSFFiMSpgOc8xWrP9WOBYM2LmddA5b5VEQ8LeQBErg
jqccDHpgJ4SZyqZBWXj8bo3USjI+h8fsNj7ufq6GgutjgZOUXcnhWi0yKSJoA4S2
wLjWR3VM
=0Ok2
-----END PGP SIGNATURE-----

_______________________________________________
Sks-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/sks-devel