Your message dated Mon, 14 Sep 2015 10:49:44 -0400
with message-id <[email protected]>
and subject line Re: Bug#798911: sks: one of my listed peers seems to be
unauthorized
has caused the Debian Bug report #798911,
regarding sks: one of my listed peers seems to be unauthorized
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
798911: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=798911
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sks
Version: 1.1.5-4
Severity: normal
Tags: upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
I was looking at my sks logs, and I saw the following error:
==> /var/log/sks/recon.log <==
2015-09-13 22:28:00 Reconciliation attempt from unauthorized host
<ADDR_INET [157.7.123.130]:49955>. Ignoring
I checked that host, and it is one that is in my membership file.
bminton:~# host 157.7.123.130
130.123.7.157.in-addr.arpa domain name pointer tyo1.sks.reimu.io.
bminton:~# grep tyo /etc/sks/membership
tyo1.sks.reimu.io 11370 # Siyuan Miao <[email protected]> 0x367B7A82
- -- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.0.0 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages sks depends on:
ii adduser 3.113+nmu3
ii db5.3-util 5.3.28-9+b1
ii libc6 2.19-19
ii libdb5.3 5.3.28-9+b1
ii logrotate 3.8.7-2
ii zlib1g 1:1.2.8.dfsg-2+b1
sks recommends no packages.
Versions of packages sks suggests:
ii exim4-daemon-heavy [mail-transport-agent] 4.86-2
ii procmail 3.22-25
- -- Configuration Files:
/etc/default/sks changed:
initstart=yes
/etc/sks/membership changed:
keyserver2.brian.minton.name 11370 # Brian Minton <[email protected]>
0x0424DC19B678A1A9
sks-peer.spodhuis.org 11370 # Phil Pennock <[email protected]>
0x4D1E900E14C1CC04
ams.sks.heypete.com 11370 # Pete Stephenson <[email protected]> 0x85EB9F44
keyserver.matteoswelt.de 11370 # Matthias Schreiber <[email protected]>
0x586A2E13F52616561BFC32C95B964AE610D49726
sks.openpgp-keyserver.de 11370 # Matthias Schreiber <[email protected]>
0x586A2E13F52616561BFC32C95B964AE610D49726
keyserver.serviz.fr 11370 # robert <[email protected]> 0xEF333C7E
keyserver.zap.org.au 11370 # John Zaitseff <[email protected]>
0xB0F6BC7F46D30F1432FC46190D254111C4EE569B
keyserver.pkern.at 11370 # Patrik Kernstock (Patschi) <[email protected]>
0xCE2B7F40349BD082
sks.labs.nic.cz 11370 # Petr .ernohouz <[email protected]>
0x23CF492BB8F74257
keyserver.codinginfinity.com 11370 # Andrew Broekman
<[email protected]> 0xDE4B8C1A85F10FC4377EF2A45C54415118451EAC
keyserver.mattrude.com 11370 # Matt Rude <[email protected]> 0xDD23BF73
alleinuntermenschen.de 11370 # Jannick Fahlbusch <[email protected]>
0x82747E05
keyserver.lsuhscshreveport.edu 11370 # John Mire <[email protected]>
0xe3df4a51500026e6
pgp.h-ix.net 11370 # Tim Haga <[email protected]> 0xF5623DA52DAC97ED
keyserver.bdr.net.pl 11370 # Bartlomiej Rodek <[email protected]>
0xBA093762DD821B32
openpgp-keyserver.eu 11370 # robert olesinski <[email protected]>
0x682302D6
gpg.directory 11370 # TELEHOST Office <[email protected]>
pgp.ohai.su 11370 # Lukas Martini <[email protected]> 0xC9E1BD2C
tyo1.sks.reimu.io 11370 # Siyuan Miao <[email protected]> 0x367B7A82
europe.bbs4.us 11370 # Jonathan Zhang (ECC) <[email protected]>
0xb35b27e07f99abec
key.bbs4.us 11370 # Jonathan Zhang (ECC) <[email protected]>
0xb35b27e07f99abec
keysrv.technl.net 11370 # E. van Harten <[email protected]> 0x9E27CC40
195.43.138.170 11370 #unknown host trying to recon with me
2001:67c:270:4005::199 11370 #the preceding two hosts are all technl.net
keyserver.erat.systems 11370 # Jens Erat <[email protected]> 0xA4FF2279
pgp.gwolf.org 11370 # Gunnar Wolf <[email protected]> 0x673A03E4C1DB921F
keys.jhcloos.com 11370 # James Cloos <[email protected]> 0x997A9F17ED7DAEA6
keyserver.globale-gruppe.de 11370 # Ram?n Goeden <[email protected]>
0xb7c51fd6
pgp.net.nz 11370 # [email protected]
keys.enteig.net 11370 # Malte <[email protected]> 0x0CC576E9703E1DDC
keyserver.bonus-communis-bibliotheca.eu 11370 # Pascal Levasseur
<[email protected]>
pgp.kama.gs 11730 #unknown contact info -- host trying to recon with me
keyserver.74h.eu 11370 #unknown contact info -- host trying to recon with me
/etc/sks/sksconf changed:
hostname: keyserver.brian.minton.name
hkp_address: 127.0.0.1
hkp_port: 11371
from_addr: "PGP Key Server Administrator
<[email protected]>"
sendmail_cmd: /usr/lib/sendmail -t -oi -f
[email protected]
initial_stat:
pagesize: 16
ptree_pagesize: 16
server_contact: 0x0424DC19B678A1A9
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlX2MogACgkQa46zoGXPuqmicAD/b3iQ0GO4XTHtU3UOl8zNygF8
Hj8PF4yZKXZYyvBrlwcA/RU1EkAzPV9Sglap9massrgdkAmDUNEgxrHx02qCzaLm
=6Ew3
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Hi Brian--
[re: https://bugs.debian.org/798911 ]
On Sun 2015-09-13 22:36:00 -0400, Brian Minton wrote:
> I was looking at my sks logs, and I saw the following error:
>
> ==> /var/log/sks/recon.log <==
> 2015-09-13 22:28:00 Reconciliation attempt from unauthorized host
> <ADDR_INET [157.7.123.130]:49955>. Ignoring
>
> I checked that host, and it is one that is in my membership file.
>
> bminton:~# host 157.7.123.130
> 130.123.7.157.in-addr.arpa domain name pointer tyo1.sks.reimu.io.
> bminton:~# grep tyo /etc/sks/membership
> tyo1.sks.reimu.io 11370 # Siyuan Miao <[email protected]> 0x367B7A82
The reverse lookup may indicate this IP address is OK, but the forward
lookup from the hostname doesn't exist -- it is a CNAME to
tyo1-ipv6.sks, which is not a valid hostname:
0 dkg@alice:~$ dig tyo1.sks.reimu.io
; <<>> DiG 9.9.5-12-Debian <<>> tyo1.sks.reimu.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 64824
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;tyo1.sks.reimu.io. IN A
;; ANSWER SECTION:
tyo1.sks.reimu.io. 232 IN CNAME tyo1-ipv6.sks.
;; AUTHORITY SECTION:
. 1732 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2015091400 1800 900 604800 86400
;; Query time: 21 msec
;; SERVER: 10.70.0.254#53(10.70.0.254)
;; WHEN: Mon Sep 14 10:45:49 EDT 2015
;; MSG SIZE rcvd: 148
0 dkg@alice:~$
sks can't (shouldn't) rely on reverse lookups. Otherwise, anyone who
knows who your peers are (which is anyone, since most sks hosts publish
their list of peers) can just set up their reverse DNS to say any of
your peers, and you'd accept traffic from them.
You should ask Siyuan Miao (cc'ed here) to clean up the DNS records
published for your peer.
So i think sks is doing the right thing here; i'm closing this bug
because i think it's behaving as intended. But i could be wrong! If
so, please explain what i've missed, and feel free to re-open the bug
(or ask me to re-open it, which i'll happily do).
Regards,
--dkg
signature.asc
Description: PGP signature
--- End Message ---
