hkps.pool.sks-keyservers.net DNS failing to resolve

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

hkps.pool.sks-keyservers.net DNS failing to resolve

Todd Fleisher
Hi Kristian,
Starting @ 01-14-2020 20:45:18 UTC it seems DNS is failing to resolve successfully, with the public resolvers & NS-GLOBAL.KJSL.COM returning NXDOMAIN & the remaining authoritative servers for the returning REFUSED.

Results can be seen here: https://pastebin.com/raw/JweLJyYL

-T


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

David M.
Hi Todd,

This is probably because there is no server in the pool at the moment
that has HKPS.

Check the status: https://sks-keyservers.net/status/ - (HKPS RED)

Kind regards,

David.

Am 15.01.2020 um 00:25 schrieb Todd Fleisher:

> Hi Kristian,
> Starting @ 01-14-2020 20:45:18 UTC it seems DNS is failing to resolve
> successfully, with the public resolvers & NS-GLOBAL.KJSL.COM
> <http://NS-GLOBAL.KJSL.COM> returning NXDOMAIN & the remaining
> authoritative servers for the returning REFUSED.
>
> Results can be seen here: https://pastebin.com/raw/JweLJyYL
>
> -T
>
--
David Moes
Public OpenPGP 0xFBDD7EAAEDD53063 key at hkp://pgp.mit.edu
fpr: 550C D308 CC0D 1CE1 79D4  EAA0 233D B73F 31B9 7723
----------------------------
“Logic will get you from A to Z; imagination will get you everywhere.”

― Albert Einstein

0xFBDD7EAAEDD53063.asc (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

Todd Fleisher
Hi David,
Good catch, that would explain it. I suspect Kristian’s script that checks the potential HKPS nodes in order to update the DNS record is failing and/or not running. I have confirmed my HKPS-capable nodes/pool respond to queries & key uploads, but I’m not sure what criteria he is checking on his end. FWIW, I do see recent “pings” from his IP address against nodes/pool as well (UTC timestamps):

Jan 14 23:34:40 sks05 sks[17211]: 2020-01-14 23:34:40 Error handling request (POST,/pks/add,[
Jan 14 23:34:40 sks05 sks[17211]: accept:*/*
Jan 14 23:34:40 sks05 sks[17211]: connection:close
Jan 14 23:34:40 sks05 sks[17211]: content-length:82
Jan 14 23:34:40 sks05 sks[17211]: content-type:application/x-www-form-urlencoded
Jan 14 23:34:40 sks05 sks[17211]: host:sks_servers
Jan 14 23:34:40 sks05 sks[17211]: x-forwarded-for:37.191.231.105, 10.x.x.x]): Failure("Error while decoding ascii-armored key: text terminated before beginning of ascii block”)

-T

On Jan 14, 2020, at 4:47 PM, David Moes <[hidden email]> wrote:

Hi Todd,

This is probably because there is no server in the pool at the moment
that has HKPS.

Check the status: https://sks-keyservers.net/status/ - (HKPS RED)

Kind regards,

David.

Am 15.01.2020 um 00:25 schrieb Todd Fleisher:
Hi Kristian,
Starting @ 01-14-2020 20:45:18 UTC it seems DNS is failing to resolve
successfully, with the public resolvers & NS-GLOBAL.KJSL.COM
<http://NS-GLOBAL.KJSL.COM> returning NXDOMAIN & the remaining
authoritative servers for the returning REFUSED.

Results can be seen here: https://pastebin.com/raw/JweLJyYL

-T


--
David Moes
Public OpenPGP 0xFBDD7EAAEDD53063 key at <a href="hkp://pgp.mit.edu" class="">hkp://pgp.mit.edu
fpr: 550C D308 CC0D 1CE1 79D4  EAA0 233D B73F 31B9 7723
----------------------------
“Logic will get you from A to Z; imagination will get you everywhere.”

― Albert Einstein
<0xFBDD7EAAEDD53063.asc>


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

David M.
Hi Todd,

For HPKS you must be added by Kristian to his self signed cert, without
this you don't get listed as HPKS-capable node.

David.

Am 15.01.2020 um 02:05 schrieb Todd Fleisher:

> Hi David,
> Good catch, that would explain it. I suspect Kristian’s script that
> checks the potential HKPS nodes in order to update the DNS record is
> failing and/or not running. I have confirmed my HKPS-capable nodes/pool
> respond to queries & key uploads, but I’m not sure what criteria he is
> checking on his end. FWIW, I do see recent “pings” from his IP address
> against nodes/pool as well (UTC timestamps):
>
>     Jan 14 23:34:40 sks05 sks[17211]: 2020-01-14 23:34:40 Error handling
>     request (POST,/pks/add,[
>     Jan 14 23:34:40 sks05 sks[17211]: accept:*/*
>     Jan 14 23:34:40 sks05 sks[17211]: connection:close
>     Jan 14 23:34:40 sks05 sks[17211]: content-length:82
>     Jan 14 23:34:40 sks05 sks[17211]:
>     content-type:application/x-www-form-urlencoded
>     Jan 14 23:34:40 sks05 sks[17211]: host:sks_servers
>     Jan 14 23:34:40 sks05 sks[17211]: x-forwarded-for:37.191.231.105,
>     10.x.x.x]): Failure("Error while decoding ascii-armored key: text
>     terminated before beginning of ascii block”)
>
>
> -T
>
>> On Jan 14, 2020, at 4:47 PM, David Moes <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>> Hi Todd,
>>
>> This is probably because there is no server in the pool at the moment
>> that has HKPS.
>>
>> Check the status: https://sks-keyservers.net/status/ - (HKPS RED)
>>
>> Kind regards,
>>
>> David.
>>
>> Am 15.01.2020 um 00:25 schrieb Todd Fleisher:
>>> Hi Kristian,
>>> Starting @ 01-14-2020 20:45:18 UTC it seems DNS is failing to resolve
>>> successfully, with the public resolvers & NS-GLOBAL.KJSL.COM
>>> <http://NS-GLOBAL.KJSL.COM>
>>> <http://NS-GLOBAL.KJSL.COM> returning NXDOMAIN & the remaining
>>> authoritative servers for the returning REFUSED.
>>>
>>> Results can be seen here: https://pastebin.com/raw/JweLJyYL
>>>
>>> -T
>>>
>>
>> --
>> David Moes
>> Public OpenPGP 0xFBDD7EAAEDD53063 key at hkp://pgp.mit.edu
>> fpr: 550C D308 CC0D 1CE1 79D4  EAA0 233D B73F 31B9 7723
>> ----------------------------
>> “Logic will get you from A to Z; imagination will get you everywhere.”
>>
>> ― Albert Einstein
>> <0xFBDD7EAAEDD53063.asc>
>
--
David Moes
Public OpenPGP 0xFBDD7EAAEDD53063 key at hkp://pgp.mit.edu
fpr: 550C D308 CC0D 1CE1 79D4  EAA0 233D B73F 31B9 7723
----------------------------
“Logic will get you from A to Z; imagination will get you everywhere.”

― Albert Einstein

0xFBDD7EAAEDD53063.asc (1K) Download Attachment
signature.asc (235 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

Todd Fleisher
Hi David,

Hopefully Kristian finds and fixes his issue in the morning.

-T

On Jan 14, 2020, at 5:17 PM, David Moes <[hidden email]> wrote:

Hi Todd,

For HPKS you must be added by Kristian to his self signed cert, without
this you don't get listed as HPKS-capable node.

David.

Am 15.01.2020 um 02:05 schrieb Todd Fleisher:
Hi David,
Good catch, that would explain it. I suspect Kristian’s script that
checks the potential HKPS nodes in order to update the DNS record is
failing and/or not running. I have confirmed my HKPS-capable nodes/pool
respond to queries & key uploads, but I’m not sure what criteria he is
checking on his end. FWIW, I do see recent “pings” from his IP address
against nodes/pool as well (UTC timestamps):

   Jan 14 23:34:40 sks05 sks[17211]: 2020-01-14 23:34:40 Error handling
   request (POST,/pks/add,[
   Jan 14 23:34:40 sks05 sks[17211]: accept:*/*
   Jan 14 23:34:40 sks05 sks[17211]: connection:close
   Jan 14 23:34:40 sks05 sks[17211]: content-length:82
   Jan 14 23:34:40 sks05 sks[17211]:
   content-type:application/x-www-form-urlencoded
   Jan 14 23:34:40 sks05 sks[17211]: host:sks_servers
   Jan 14 23:34:40 sks05 sks[17211]: x-forwarded-for:37.191.231.105,
   10.x.x.x]): Failure("Error while decoding ascii-armored key: text
   terminated before beginning of ascii block”)


-T

On Jan 14, 2020, at 4:47 PM, David Moes <[hidden email]
<[hidden email]>> wrote:

Hi Todd,

This is probably because there is no server in the pool at the moment
that has HKPS.

Check the status: https://sks-keyservers.net/status/ - (HKPS RED)

Kind regards,

David.

Am 15.01.2020 um 00:25 schrieb Todd Fleisher:
Hi Kristian,
Starting @ 01-14-2020 20:45:18 UTC it seems DNS is failing to resolve
successfully, with the public resolvers & NS-GLOBAL.KJSL.COM
<http://NS-GLOBAL.KJSL.COM>
<http://NS-GLOBAL.KJSL.COM> returning NXDOMAIN & the remaining
authoritative servers for the returning REFUSED.

Results can be seen here: https://pastebin.com/raw/JweLJyYL

-T


--
David Moes
Public OpenPGP 0xFBDD7EAAEDD53063 key at <a href="hkp://pgp.mit.edu" class="">hkp://pgp.mit.edu
fpr: 550C D308 CC0D 1CE1 79D4  EAA0 233D B73F 31B9 7723
----------------------------
“Logic will get you from A to Z; imagination will get you everywhere.”

― Albert Einstein
<0xFBDD7EAAEDD53063.asc>


--
David Moes
Public OpenPGP 0xFBDD7EAAEDD53063 key at <a href="hkp://pgp.mit.edu" class="">hkp://pgp.mit.edu
fpr: 550C D308 CC0D 1CE1 79D4  EAA0 233D B73F 31B9 7723
----------------------------
“Logic will get you from A to Z; imagination will get you everywhere.”

― Albert Einstein
<0xFBDD7EAAEDD53063.asc>


signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

Kristian Fiskerstrand-6
On 15.01.2020 02:28, Todd Fleisher wrote:
> Hopefully Kristian finds and fixes his issue in the morning.

thanks for the heads up everyone; should be back up on next update run
(cause: crl expired)
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

Todd Fleisher
Hi Kristian,
Thanks for the update, it looks like DNS recovered shortly after this message was sent. However, I’m still seeing an expired CRL @ https://sks-keyservers.net/ca/crl.pem

-T

On Jan 15, 2020, at 2:19 AM, Kristian Fiskerstrand <[hidden email]> wrote:

On 15.01.2020 02:28, Todd Fleisher wrote:
Hopefully Kristian finds and fixes his issue in the morning.

thanks for the heads up everyone; should be back up on next update run
(cause: crl expired)
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at <a href="hkp://pool.sks-keyservers.net" class="">hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws



signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: hkps.pool.sks-keyservers.net DNS failing to resolve

Kristian Fiskerstrand-6
On 15.01.2020 19:19, Todd Fleisher wrote:
> Thanks for the update, it looks like DNS recovered shortly after this
> message was sent. However, I’m still seeing an expired CRL
> @ https://sks-keyservers.net/ca/crl.pem

Yes, I cheated and disabled the check for the pool (no certs are revoked
for any actual issues anyways), but won't get around to actually
updating the crl until this evening or more likely tomorrow as that
requires special access.

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Corruptissima re publica plurimæ leges
The greater the degeneration of the republic, the more of its laws


signature.asc (499 bytes) Download Attachment